[
https://issues.apache.org/jira/browse/SPARK-27358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean Owen updated SPARK-27358:
------------------------------
Priority: Major (was: Minor)
Description:
jquery 1.11.1 is affected by a CVE:
https://www.cvedetails.com/cve/CVE-2016-7103/
Note that I do not know whether this actually manifests as a security problem
for Spark. But, we can easily update to 1.12.4 (latest 1.x version) to resolve
it.
(Note that https://www.cvedetails.com/cve/CVE-2015-9251/ seems to have been
fixed in 1.12 but then unfixed, so this may require a much bigger jump to
jquery 3.x if it's a problem; leaving that until later.)
Along the way we will want to update jquery datatables to 1.10.18 to match
jquery 1.12.4.
Relatedly, jquery mustache 0.8.1 also has a CVE:
https://snyk.io/test/npm/mustache/0.8.2
I propose to update to 2.3.12 (latest 2.x) to resolve it.
Although targeted for 3.0, I believe this is back-port-able to 2.4.x if needed,
assuming we find no UI issues.
was:
jquery 1.11.1 is affected by a CVE:
https://www.cvedetails.com/cve/CVE-2016-7103/
We can easily update to 1.12.4 (latest 1.x version) to resolve it.
(Note that https://www.cvedetails.com/cve/CVE-2015-9251/ seems to have been
fixed in 1.12 but then unfixed, so this may require a much bigger jump to
jquery 3.x if it's a problem; leaving that until later.)
Along the way we will want to update jquery datatables to 1.10.18 to match
jquery 1.12.4.
Relatedly, jquery mustache 0.8.1 also has a CVE:
https://snyk.io/test/npm/mustache/0.8.2
I propose to update to 2.3.12 (latest 2.x) to resolve it.
Although targeted for 3.0, I believe this is back-port-able to 2.4.x if needed,
assuming we find no UI issues.
> Update jquery to 1.12.x to address CVE
> --------------------------------------
>
> Key: SPARK-27358
> URL: https://issues.apache.org/jira/browse/SPARK-27358
> Project: Spark
> Issue Type: Improvement
> Components: Web UI
> Affects Versions: 3.0.0
> Reporter: Sean Owen
> Assignee: Sean Owen
> Priority: Major
>
> jquery 1.11.1 is affected by a CVE:
> https://www.cvedetails.com/cve/CVE-2016-7103/
> Note that I do not know whether this actually manifests as a security problem
> for Spark. But, we can easily update to 1.12.4 (latest 1.x version) to
> resolve it.
> (Note that https://www.cvedetails.com/cve/CVE-2015-9251/ seems to have been
> fixed in 1.12 but then unfixed, so this may require a much bigger jump to
> jquery 3.x if it's a problem; leaving that until later.)
> Along the way we will want to update jquery datatables to 1.10.18 to match
> jquery 1.12.4.
> Relatedly, jquery mustache 0.8.1 also has a CVE:
> https://snyk.io/test/npm/mustache/0.8.2
> I propose to update to 2.3.12 (latest 2.x) to resolve it.
> Although targeted for 3.0, I believe this is back-port-able to 2.4.x if
> needed, assuming we find no UI issues.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
