[
https://issues.apache.org/jira/browse/SPARK-38262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bjørn Jørgensen updated SPARK-38262:
------------------------------------
Issue Type: Dependency upgrade (was: Bug)
> Upgrade Google guava to version 30.0-jre
> ----------------------------------------
>
> Key: SPARK-38262
> URL: https://issues.apache.org/jira/browse/SPARK-38262
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Build
> Affects Versions: 3.3.0
> Reporter: Bjørn Jørgensen
> Priority: Major
>
> This is duplicated many times like in
> [SPARK-32502|https://issues.apache.org/jira/browse/SPARK-32502]
> Apache Spark is using com.google.guava:guava version 14.0.1 which has two
> security issues.
> [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
> [CVE-2020-8908|https://nvd.nist.gov/vuln/detail/CVE-2020-8908]
> We should upgrade to [version
> 30.0|https://mvnrepository.com/artifact/com.google.guava/guava/30.0-jre]
> I will add some links to what I have found about this issue
> [HIVE-25617:fix bug introduced by
> CVE-2020-8908|https://github.com/apache/hive/pull/2725]
> [Upgrade Guava to 27|https://github.com/apache/druid/pull/10683]
> [HIVE-21961: Upgrade Hadoop to 3.1.4, Guava to 27.0-jre and Jetty to
> 9.4.20.v20190813|https://github.com/apache/hive/pull/1821]
> [Shade Guava manually|https://github.com/apache/druid/issues/6942]
> [[DISCUSS] Hadoop 3, dropping support for Hadoop
> 2.x|https://lists.apache.org/thread/zmc389trnkh6x444so8mdb2h0x0noqq4]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
