GitHub user a-roberts opened a pull request:
https://github.com/apache/spark/pull/14379
[SPARK-16751] Upgrade Derby, remove from package
## What changes were proposed in this pull request?
(Please fill in changes proposed in this fix)
## How was this patch tested?
(Please explain how this patch was tested. E.g. unit tests, integration
tests, manual tests)
(If this patch involves UI changes, please attach a screenshot; otherwise,
remove this)
## What changes were proposed in this pull request?
Version of derby upgraded based on important security info at VersionEye.
Test scope added so we don't include it in our final package anyway. NB: I
think this should be backported to all previous releases as it is a security
problem https://www.versioneye.com/java/org.apache.derby:derby/10.11.1.1
The CVE number is 2015-1832. I also suggest we add a SECURITY tag for JIRAs
## How was this patch tested?
Existing tests with the change making sure that we see no new failures. I
checked derby 10.12.x and not derby 10.11.x is downloaded to our ~/.m2 folder.
I then used dev/make-distribution.sh and checked the dist/jars folder for
Spark 2.0: no derby jar is present.
I don't know if this would also remove it from the assembly jar in our 1.x
branches.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/a-roberts/spark patch-4
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/spark/pull/14379.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #14379
----
commit 910520efbd656ec960e1c4ec228b928fcee80be9
Author: Adam Roberts <[email protected]>
Date: 2016-07-27T12:53:46Z
[SPARK-16751] Upgrade Derby, remove from package
## What changes were proposed in this pull request?
Version of derby upgraded based on important security info at VersionEye.
Test scope added so we don't include it in our final package anyway. NB: I
think this should be backported to all previous releases as it is a security
problem https://www.versioneye.com/java/org.apache.derby:derby/10.11.1.1
The CVE number is 2015-1832. I also suggest we add a SECURITY tag for JIRAs
## How was this patch tested?
Existing tests with the change making sure that we see no new failures. I
checked derby 10.12.x and not derby 10.11.x is downloaded to our ~/.m2 folder.
I then used dev/make-distribution.sh and checked the dist/jars folder for
Spark 2.0: no derby jar is present.
I don't know if this would also remove it from the assembly jar in our 1.x
branches.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
