I think these are readily answerable if you look at the text of the CVEs and Spark 3.0.3 release.
https://nvd.nist.gov/vuln/detail/CVE-2019-17531 concerns Jackson Databind up to 2.9.10, but you can see that 3.0.3 uses 2.10.0 https://nvd.nist.gov/vuln/detail/CVE-2020-9480 affects Spark 2.x, not 3.x https://nvd.nist.gov/vuln/detail/CVE-2019-0204 does not appear related to Spark On Tue, Feb 15, 2022 at 12:40 PM Rajesh Krishnamurthy < rkrishnamur...@perforce.com> wrote: > Hi Sean, > > I am looking for fixing the vulnerabilities such as these in the 3.0.X > branch. > > 1) > CVE-2019-17531 > 2)CVE-2020-9480 > 3)CVE-2019-0204 > > > Rajesh Krishnamurthy | Enterprise Architect > T: +1 510-833-7189 | M: +1 925-917-9208 > http://www.perforce.com > Visit us on: Twitter > <https://nam12.safelinks.protection.outlook.com/?url=https://twitter.com/perforce&data=04%7c01%7crkrishnamur...@perforce.com%7C67639f41e2f0452b409608d96814840a%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637655259607389020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=66YlLKPkoZeh1CyMFzjEG8eFva8EmsPSvRqUFtEf960=&reserved=0> > | LinkedIn > <https://nam12.safelinks.protection.outlook.com/?url=https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7c01%7crkrishnamur...@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=03F8rlgn5xcYUU3pEkCe85X+Bs4q/WfHlXCne+MshaI=&reserved=0> > | Facebook > <https://nam12.safelinks.protection.outlook.com/?url=https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7c01%7crkrishnamur...@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=Jlq031LQ06isyWhiwRQSrTiJnjEZzUc38nULB2yIt5w=&reserved=0> > > On Feb 14, 2022, at 1:52 PM, Sean Owen <sro...@gmail.com> wrote: > > What vulnerabilities are you referring to? I'm not aware of any critical > outstanding issues, but not sure what you have in mind either. > See https://spark.apache.org/versioning-policy.html > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspark.apache.org%2Fversioning-policy.html&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hFpqIT9rnZhmvSIgWQkqx5SsppiZ61CYgJzfKyYzGy4%3D&reserved=0> > - 3.0.x is EOL about now, which doesn't mean there can't be another > release, but would not generally expect one. > > On Mon, Feb 14, 2022 at 3:48 PM Rajesh Krishnamurthy < > rkrishnamur...@perforce.com> wrote: > >> Hi Sean, >> >> Thanks for the response. Does the community have any plans of fixing >> any vulnerabilities that have been identified in the 3.0.3 version? Do you >> have any fixed date that 3.0.x is going to be EOL? >> >> >> >> Rajesh Krishnamurthy | Enterprise Architect >> T: +1 510-833-7189 | M: +1 925-917-9208 >> http://www.perforce.com >> Visit us on: Twitter >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JfbqWgdPMLqKTi4R30jFCejBtjbNj%2B%2F4paZz87SRxNI%3D&reserved=0> >> | LinkedIn >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nknKNJ6Zn%2Bh2WkC2IJ3nS2fkjKBJRMBqX3Sn7XeU%2FJg%3D&reserved=0> >> | Facebook >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kkWBd7OMHaH6zpo2p6D2TFtj%2FjzrUMmHvthrWgKrvXg%3D&reserved=0> >> >> On Feb 11, 2022, at 3:09 PM, Sean Owen <sro...@gmail.com> wrote: >> >> 3.0.x is about EOL now, and I hadn't heard anyone come forward to push a >> final maintenance release. Is there a specific issue you're concerned about? >> >> On Fri, Feb 11, 2022 at 4:24 PM Rajesh Krishnamurthy < >> rkrishnamur...@perforce.com> wrote: >> >>> Hi there, >>> >>> We are just wondering if there are any agenda by the Spark community >>> to actively engage development activities on the 3.0.x path. I know we have >>> the latest version of Spark with 3.2.x, but we are just wondering if any >>> development plans to have the vulnerabilities fixed on the 3.0.x path that >>> were identified on the 3.0.3 version, so that we don’t need to migrate to >>> next major version(3.1.x in this case), but at the same time all the >>> vulnerabilities fixed within the minor version upgrade(eg:3.0.x) >>> >>> >>> Rajesh Krishnamurthy | Enterprise Architect >>> T: +1 510-833-7189 | M: +1 925-917-9208 >>> http://www.perforce.com >>> Visit us on: Twitter >>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JfbqWgdPMLqKTi4R30jFCejBtjbNj%2B%2F4paZz87SRxNI%3D&reserved=0> >>> | LinkedIn >>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nknKNJ6Zn%2Bh2WkC2IJ3nS2fkjKBJRMBqX3Sn7XeU%2FJg%3D&reserved=0> >>> | Facebook >>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kkWBd7OMHaH6zpo2p6D2TFtj%2FjzrUMmHvthrWgKrvXg%3D&reserved=0> >>> >>> >>> This e-mail may contain information that is privileged or confidential. >>> If you are not the intended recipient, please delete the e-mail and any >>> attachments and notify us immediately. >>> >>> >> >> *CAUTION:* This email originated from outside of the organization. Do >> not click on links or open attachments unless you recognize the sender and >> know the content is safe. >> >> >> >> This e-mail may contain information that is privileged or confidential. >> If you are not the intended recipient, please delete the e-mail and any >> attachments and notify us immediately. >> >> > > *CAUTION:* This email originated from outside of the organization. Do not > click on links or open attachments unless you recognize the sender and know > the content is safe. > > > > This e-mail may contain information that is privileged or confidential. If > you are not the intended recipient, please delete the e-mail and any > attachments and notify us immediately. > >
