Laurenceau Julien created SPARK-46267: -----------------------------------------
Summary: critical vunerability with a fix in Derby Key: SPARK-46267 URL: https://issues.apache.org/jira/browse/SPARK-46267 Project: Spark Issue Type: Dependency upgrade Components: Build Affects Versions: 3.4.1 Environment: I know it is in spark 3.4.1 that is the last version released by canonical charmed spark. Since the fix was released on Nov 10 on derby side it probably affects all versions of spark. Reporter: Laurenceau Julien It would be necessary to upgrade Derby dependency in order to solve a critical vulnerability that was fixed in the latest release of Derby in November: [https://db.apache.org/derby/releases/release-10_17_1_0.cgi] The vuln: ``` │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ │ org.apache.derby:derby (derby-10.14.2.0.jar) │ CVE-2022-46337 │ CRITICAL │ fixed │ 10.14.2.0 │ 10.17.1.0 │ A cleverly devised username might bypass LDAP authentication │ ``` -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org