[
https://issues.apache.org/jira/browse/SPARK-39969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574720#comment-17574720
]
Steve Loughran commented on SPARK-39969:
----------------------------------------
note: although the latest release fixes the latest set of jackson CVEs in the
aws shaded jar, the s3 client doesn't use the vulnerable libraries. don't know
about the rest of the sdk.j it will at least stop code security analysis tools
from complaining so much
> Spark AWS SDK and kinesis dependencies lagging hadoop-aws and s3a
> -----------------------------------------------------------------
>
> Key: SPARK-39969
> URL: https://issues.apache.org/jira/browse/SPARK-39969
> Project: Spark
> Issue Type: Improvement
> Components: Build
> Affects Versions: 3.4.0
> Reporter: Steve Loughran
> Priority: Minor
>
> The AWS SDK and matching kinesis versions are now a few iterations behind
> what is shipping in hadoop 3.3.x. ( see HADOOP-18068 and HADOOP-18344)
> * this updates dependencies/bundling of jackson and httpclient
> * no problems upgrading other than some test regressions
> catching up would be good, as it means that recent s3a releases are not
> qualified with the AWS SDK release spark is pulling in -and if there is any
> problem. it'll be a spark team issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
