LuciferYang commented on PR #44477: URL: https://github.com/apache/spark/pull/44477#issuecomment-1870766747
> "SECURITY-2924 / https://github.com/advisories/GHSA-2jc4-r94c-rp7h > Ivy Plugin 2.5 and earlier bundles versions of Apache Ivy vulnerable to > https://github.com/advisories/GHSA-2jc4-r94c-rp7h. > > This allows attackers able to control the input file for the "Trigger the > build of other projects based on the Ivy dependency management system" > post-build step to have Jenkins parse a crafted XML document that uses > external entities for extraction of secrets from the Jenkins controller or > server-side request forgery." > https://www.openwall.com/lists/oss-security/2023/09/06/9 For Spark, what specific harm will it suffer if it is not upgraded? Since I don't have a clear understanding of the specific results, I choose a way that does not break compatibility now. Due to my personal knowledge limitations, this decision may be wrong. If upgrading is necessary, could you submit a PR to fix it and explain in detail the specific harm to Spark if it is not upgraded? @bjornjorgensen thanks ~ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
