Hi, On Thu, May 5, 2022 at 8:44 PM Sean Owen <sro...@apache.org> wrote:
> This is a Velocity issue. Spark doesn't use it, although it looks like > Avro does. From reading the CVE, I do not believe it would impact Avro's > usage - velocity templates it may use for codegen aren't exposed that I > know of. Is there a known relationship to Spark here? That is the key > question in security questions like this. > > In any event, to pursue an update, it would likely have to start by > updating Avro if it hasn't already, and if it has, pursue upgrading Avro in > Spark -- if the supported Hadoop versions work with it. > Avro uses Velocity 2.3 since v 1.11 ( https://github.com/apache/avro/commit/8824d6577368cf29b867efcd331151259c24e7b0 ) Spark 3.3.0 will use Avro 1.11 ( https://github.com/apache/spark/commit/132548116a0842c3db6abc99bc8298d504624abd ) For earlier versions of Spark you will need to update Velocity in your Maven/Sbt/Gradle/... config. > > On Thu, May 5, 2022 at 12:32 PM Pralabh Kumar <pralabhku...@gmail.com> > wrote: > >> Hi Dev Team >> >> Please let me know if there is a jira to track this CVE changes with >> respect to Spark . Searched jira but couldn't find anything. >> >> Please help >> >> Regards >> Pralabh Kumar >> >
