cowtowncoder edited a comment on pull request #29334: URL: https://github.com/apache/spark/pull/29334#issuecomment-678705572
A quick note that might be relevant on question of CVEs affecting Spark. All dozens of CVEs against `jackson-databind` for past 2 years or so are related to the same feature, default (polymorphic) typing, something that is NOT enabled by default. I wrote this a while ago: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 to give full description of these issues. So unless Spark uses "Default Typing" (enable ALL values to use polymorphic typing), these are not relevant. But I also understand that due to security tools' true/false settings, it is annoying to end users to get all the warnings even if there is no actual problem. I will also note that: * 2.10.x and later are not affected (CVEs will not be applicable past 2.9.x) * I plan on release 2.9.10.6 within next couple of days (by end of August 2020); currently there are 4 reported issues for which CVE id is or will be allocated. I hope this helps. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
