Re: High/Critical CVEs in jackson-mapper-asl (spark 3.5.5)

2025-03-18 Thread Ángel Álvarez Pascua
Hi Spark Community, > > > > I hope you are doing well. > > We have identified high and critical CVEs related to the > jackson-mapper-asl package used in Apache Spark 3.5.5. We would like to > understand if there are any official fixes or recommended mitigation steps > avai

High/Critical CVEs in jackson-mapper-asl (spark 3.5.5)

2025-03-18 Thread Mohammad, Ejas Ali
Hi Spark Community, I hope you are doing well. We have identified high and critical CVEs related to the jackson-mapper-asl package used in Apache Spark 3.5.5. We would like to understand if there are any official fixes or recommended mitigation steps available for these vulnerabilities. | CVE

Re: CVEs

2021-07-12 Thread Eric Richardson
ributors. >>>> >>>> On Mon, Jun 21, 2021 at 3:43 PM Sean Owen wrote: >>>> >>>>> Whether it matters really depends on whether the CVE affects Spark. >>>>> Sometimes it clearly could and so we'd try to back-port dependency update

Re: CVEs

2021-06-21 Thread Eric Richardson
ck-port dependency updates >>>> to active branches. >>>> Sometimes it clearly doesn't and hey sometimes the dependency is >>>> updated anyway for good measure (mostly to keep this off static analyzer >>>> reports) but probably wouldn'

Re: CVEs

2021-06-21 Thread Sean Owen
early doesn't and hey sometimes the dependency is updated >>> anyway for good measure (mostly to keep this off static analyzer reports) >>> but probably wouldn't backport. >>> >>> Jackson has been a persistent one but in this case Spark is already on &

Re: CVEs

2021-06-21 Thread Sean Owen
ackport. >> >> Jackson has been a persistent one but in this case Spark is already on >> 2.12.x in master, and it wasn't clear last time I looked at those CVEs that >> they can affect Spark itself. End user apps perhaps, but those apps can >> supply their ow

Re: CVEs

2021-06-21 Thread Holden Karau
; anyway for good measure (mostly to keep this off static analyzer reports) >> but probably wouldn't backport. >> >> Jackson has been a persistent one but in this case Spark is already on >> 2.12.x in master, and it wasn't clear last time I looked at those CVEs tha

Re: CVEs

2021-06-21 Thread Eric Richardson
r reports) > but probably wouldn't backport. > > Jackson has been a persistent one but in this case Spark is already on > 2.12.x in master, and it wasn't clear last time I looked at those CVEs that > they can affect Spark itself. End user apps perhaps, but those apps can > supp

Re: CVEs

2021-06-21 Thread Sean Owen
off static analyzer reports) but probably wouldn't backport. Jackson has been a persistent one but in this case Spark is already on 2.12.x in master, and it wasn't clear last time I looked at those CVEs that they can affect Spark itself. End user apps perhaps, but those apps can supply th

CVEs

2021-06-21 Thread Eric Richardson
Hi, I am working with Spark 3.1.2 and getting several vulnerabilities popping up. I am wondering if the Spark distros are scanned etc. and how people resolve these. For example. I am finding - https://nvd.nist.gov/vuln/detail/CVE-2020-25649 This looks like it is fixed in 2.11.0 - https://github.