[ https://issues.apache.org/jira/browse/SPARK-27358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Owen resolved SPARK-27358. ------------------------------- Resolution: Fixed Fix Version/s: 2.3.4 2.4.2 3.0.0 Issue resolved by pull request 24288 [https://github.com/apache/spark/pull/24288] > Update jquery to 1.12.x to pick up security fixes > ------------------------------------------------- > > Key: SPARK-27358 > URL: https://issues.apache.org/jira/browse/SPARK-27358 > Project: Spark > Issue Type: Improvement > Components: Web UI > Affects Versions: 3.0.0 > Reporter: Sean Owen > Assignee: Sean Owen > Priority: Major > Fix For: 3.0.0, 2.4.2, 2.3.4 > > > jquery 1.11.1 is affected by a CVE: > https://www.cvedetails.com/cve/CVE-2016-7103/ > This triggers some warnings in tools that check for known security issues in > dependencies. > Note that I do not know whether this actually manifests as a security problem > for Spark. But, we can easily update to 1.12.4 (latest 1.x version) to > resolve it. > (Note that https://www.cvedetails.com/cve/CVE-2015-9251/ seems to have been > fixed in 1.12 but then unfixed, so this may require a much bigger jump to > jquery 3.x if it's a problem; leaving that until later.) > Along the way we will want to update jquery datatables to 1.10.18 to match > jquery 1.12.4. > Relatedly, jquery mustache 0.8.1 also has a CVE: > https://snyk.io/test/npm/mustache/0.8.2 > I propose to update to 2.3.12 (latest 2.x) to resolve it. > Although targeted for 3.0, I believe this is back-port-able to 2.4.x if > needed, assuming we find no UI issues. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org