Hi Sean and Holden,
I decided it was best to send an email so I could share all my findings
with the team. I think it should be relatively easy to fix with updates but
I am not that good at working on the repo. I tried but ended up with some
roadblocks that were going to take some time to figure o
Ok, that sounds like a plan. I will gather what I found and either reach
out on the security channel and/or try and upgrade with a pull request.
Thanks for pointing me in the right direction.
On Mon, Jun 21, 2021 at 4:52 PM Sean Owen wrote:
> Yeah if it were clearly exploitable right now we'd h
Yeah if it were clearly exploitable right now we'd handle it via private@
instead of JIRA; depends on what you think the importance is. If in doubt
reply to priv...@spark.apache.org
On Mon, Jun 21, 2021 at 6:50 PM Holden Karau wrote:
> If you get to a point where you find something you think is
You could comment on https://issues.apache.org/jira/browse/SPARK-35550
which covered the updated to Jackson 2.12.3. If there's a decent case for
backporting and it doesn't have major compatibility issues, we can do it.
Then if you have time, try back-porting the patch to branch-3.1 and run
tests.
If you get to a point where you find something you think is highly likely a
valid vulnerability the best path forward is likely reaching out to private@
to figure out how to do a security release.
On Mon, Jun 21, 2021 at 4:42 PM Eric Richardson
wrote:
> Thanks for the quick reply. Yes, since it
Thanks for the quick reply. Yes, since it is included in the jars then it
is unclear whether it is used internally at least to me.
I can substitute the jar in the distro to avoid the scanner from finding it
but then it is unclear whether I could be breaking something or not. Given
that 3.1.2 is th
Whether it matters really depends on whether the CVE affects Spark.
Sometimes it clearly could and so we'd try to back-port dependency updates
to active branches.
Sometimes it clearly doesn't and hey sometimes the dependency is updated
anyway for good measure (mostly to keep this off static analyze
