srowen commented on pull request #34895: URL: https://github.com/apache/spark/pull/34895#issuecomment-995824528
@FranciscoBorges - please back up and read the CVEs and catch up on related issues here. Users need accurate information right now. To briefly re-summarize: CVE-2021-44228 affects log4j 2.x. You can even see here that Spark and its dependencies use log4j 1.x. It's a good thing to update to 2.x, but that is hard because of dependencies. See, again, this very change. It could happen. CVE-2019-17571 affects 1.x but Spark does not use the SocketServer. Anyone with information to the contrary is welcome to chime in here, but comments like https://github.com/apache/spark/pull/34895#issuecomment-995647652 are an example of what does not help users. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
