Laurenceau Julien created SPARK-46267:
-----------------------------------------
Summary: critical vunerability with a fix in Derby
Key: SPARK-46267
URL: https://issues.apache.org/jira/browse/SPARK-46267
Project: Spark
Issue Type: Dependency upgrade
Components: Build
Affects Versions: 3.4.1
Environment: I know it is in spark 3.4.1 that is the last version
released by canonical charmed spark.
Since the fix was released on Nov 10 on derby side it probably affects all
versions of spark.
Reporter: Laurenceau Julien
It would be necessary to upgrade Derby dependency in order to solve a critical
vulnerability that was fixed in the latest release of Derby in November:
[https://db.apache.org/derby/releases/release-10_17_1_0.cgi]
The vuln:
```
│ Library │ Vulnerability │ Severity │
Status │ Installed Version │ Fixed Version │ Title
│
│ org.apache.derby:derby (derby-10.14.2.0.jar) │ CVE-2022-46337 │ CRITICAL │
fixed │ 10.14.2.0 │ 10.17.1.0 │ A cleverly devised username might
bypass LDAP authentication │
```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
