These kinds of static analysis have limited value to send around. It's not
clear whether any of the CVEs actually affect Spark's usage of the library.
jackson -- generally, yes could theoretically affect Spark apps.
I can't really read this output, but seems like the affected versions are
I think these are readily answerable if you look at the text of the CVEs
and Spark 3.0.3 release.
https://nvd.nist.gov/vuln/detail/CVE-2019-17531 concerns Jackson Databind
up to 2.9.10, but you can see that 3.0.3 uses 2.10.0
https://nvd.nist.gov/vuln/detail/CVE-2020-9480 affects Spark 2.x, not
Hi Sean,
I am looking for fixing the vulnerabilities such as these in the 3.0.X branch.
1)
CVE-2019-17531
2)CVE-2020-9480
3)CVE-2019-0204
Rajesh Krishnamurthy | Enterprise Architect
T: +1 510-833-7189 | M: +1 925-917-9208
http://www.perforce.com
Visit us on:
What vulnerabilities are you referring to? I'm not aware of any critical
outstanding issues, but not sure what you have in mind either.
See https://spark.apache.org/versioning-policy.html - 3.0.x is EOL about
now, which doesn't mean there can't be another release, but would not
generally expect
3.0.x is about EOL now, and I hadn't heard anyone come forward to push a
final maintenance release. Is there a specific issue you're concerned about?
On Fri, Feb 11, 2022 at 4:24 PM Rajesh Krishnamurthy <
rkrishnamur...@perforce.com> wrote:
> Hi there,
>
> We are just wondering if there are
Hi there,
We are just wondering if there are any agenda by the Spark community to
actively engage development activities on the 3.0.x path. I know we have the
latest version of Spark with 3.2.x, but we are just wondering if any
development plans to have the vulnerabilities fixed on the 3.0.x
