Whether it matters really depends on whether the CVE affects Spark. Sometimes it clearly could and so we'd try to back-port dependency updates to active branches. Sometimes it clearly doesn't and hey sometimes the dependency is updated anyway for good measure (mostly to keep this off static analyzer reports) but probably wouldn't backport.
Jackson has been a persistent one but in this case Spark is already on 2.12.x in master, and it wasn't clear last time I looked at those CVEs that they can affect Spark itself. End user apps perhaps, but those apps can supply their own Jackson. If someone had a legit view that this is potentially more serious I think we could _probably backport that update, but Jackson can be a little bit tricky with compatibility IIRC so would just bear some testing. On Mon, Jun 21, 2021 at 5:27 PM Eric Richardson <ekrichard...@gmail.com> wrote: > Hi, > > I am working with Spark 3.1.2 and getting several vulnerabilities popping > up. I am wondering if the Spark distros are scanned etc. and how people > resolve these. > > For example. I am finding - > https://nvd.nist.gov/vuln/detail/CVE-2020-25649 > > This looks like it is fixed in 2.11.0 - > https://github.com/FasterXML/jackson-databind/issues/2589 - but Spark > supplies 2.10.0. > > Thanks, > Eric >
