[
https://issues.apache.org/jira/browse/SPARK-24229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16473137#comment-16473137
]
Ray Donnelly commented on SPARK-24229:
--------------------------------------
The problem (for us) is that companies that use our software (and we ourselves)
run scans for CVEs and some have blanket no-CVEs-allowed policies. Is updating
this vendored libthrift-0.9.3.jar likely to cause any trouble? If you won't do
it on your side we'll have to consider doing it in our own release.
In general, even if the CVE doesn't matter in a specific instance, it is best
if projects aim not to carry things that have them at all.
> Upgrade to the latest Apache Thrift 0.10.0 release
> --------------------------------------------------
>
> Key: SPARK-24229
> URL: https://issues.apache.org/jira/browse/SPARK-24229
> Project: Spark
> Issue Type: Bug
> Components: Java API
> Affects Versions: 2.3.0
> Reporter: Ray Donnelly
> Priority: Critical
>
> According to [https://www.cvedetails.com/cve/CVE-2016-5397/]
>
> .. there are critical vulnerabilities in libthrift 0.9.3 currently vendored
> in Apache Spark (and then, for us, into PySpark).
>
> Can anyone help to assess the seriousness of this and what should be done
> about it?
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
