Re: Regarding NimbusDS JOSE JWT jar 3.9 security vulnerability

2018-02-14 Thread sujith chacko
Hi Steve, While we are building spark 2.1 version this particular JWT jar is getting added as part of transitive dependency of Hadoop-auth-2.7.2 project. I discussed with one of the Hadoop pmc, he will analyse the impact of this particular issue in Hadoop . Once I will get more information I

Re: Regarding NimbusDS JOSE JWT jar 3.9 security vulnerability

2018-02-14 Thread Steve Loughran
might be coming in transitively https://issues.apache.org/jira/browse/HADOOP-14799 On 13 Feb 2018, at 18:18, PJ Fanning > wrote: Hi Sujith, I didn't find the nimbusds dependency in any spark 2.2 jars. Maybe I missed something. Could you tell us

Re: Regarding NimbusDS JOSE JWT jar 3.9 security vulnerability

2018-02-13 Thread PJ Fanning
Hi Sujith, I didn't find the nimbusds dependency in any spark 2.2 jars. Maybe I missed something. Could you tell us which spark jar has the nimbusds dependency? -- Sent from: http://apache-spark-developers-list.1001551.n3.nabble.com/

Regarding NimbusDS JOSE JWT jar 3.9 security vulnerability

2018-02-12 Thread sujith71955
Hi Folks, I observed that in spark 2.2.x version we are using NimbusDS JOSE JWT jar 3.9 version, but i saw few vulnerability has been reported for this particular version jar. please refer below details https://nvd.nist.gov/vuln/detail/CVE-2017-12973, https://www.cvedetails.com/cve/CVE-2017-12972/