These kinds of static analysis have limited value to send around. It's not clear whether any of the CVEs actually affect Spark's usage of the library. jackson -- generally, yes could theoretically affect Spark apps. I can't really read this output, but seems like the affected versions are generally 2.9.x and lower, while Spark 3.0.3 uses 2.10.0, so I'm sort of unclear what this is based on?
In any event, the best advice is to update Spark! If you're concerned about 3.0.3, which is EOL about now anyway, you should be updating to 3.2. On Fri, Feb 18, 2022 at 11:36 AM Rajesh Krishnamurthy < rkrishnamur...@perforce.com> wrote: > Hi Sean, > > Please find the list of vulnerabilities that we identified using trivy > <https://github.com/aquasecurity/trivy> VA scanning tool on Spark 3.0.3 > version. Can you also please let us know the specific EOL date planed for > 3.0.3 version? > > > +---------------------------------------------+------------------+----------+--------------------+--------------------------------+---------------------------------------------------------------+ > | LIBRARY | VULNERABILITY ID | > SEVERITY | INSTALLED VERSION | FIXED VERSION | > TITLE | > > +---------------------------------------------+------------------+----------+--------------------+--------------------------------+---------------------------------------------------------------+ > | com.fasterxml.jackson.core:jackson-databind | CVE-2020-25649 | HIGH > | 2.10.0 | 2.6.7.4, 2.9.10.7, 2.10.5.1 | jackson-databind: > FasterXML | > | | | > | | | DOMDeserializer > insecure | > | | | > | | | entity expansion > is vulnerable | > | | | > | | | to XML external > entity... | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2020-25649 | > + > +------------------+----------+--------------------+--------------------------------+---------------------------------------------------------------+ > | | CVE-2017-15095 | > CRITICAL | 2.2.3 | 2.7.9.2, 2.8.10, 2.9.1 | > jackson-databind: Unsafe | > | | | > | | | deserialization > due to | > | | | > | | | incomplete black > list (incomplete | > | | | > | | | fix for > CVE-2017-7525)... | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2017-15095 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-11307 | > | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind: > Potential | > | | | > | | | information > exfiltration with | > | | | > | | | default typing, > serialization | > | | | > | | | gadget from > MyBatis | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-11307 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-14718 | > | | 2.6.7.2, 2.9.7 | jackson-databind: > arbitrary code | > | | | > | | | execution in > slf4j-ext class | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-14718 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-7489 | > | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind: > incomplete fix | > | | | > | | | for CVE-2017-7525 > permits unsafe | > | | | > | | | serialization via > c3p0 libraries | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-7489 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-14540 | > | | 2.9.10 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > com.zaxxer.hikari.HikariConfig | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-14540 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-14893 | > | | 2.8.11.5, 2.9.10 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | classes of the > xalan package | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-14893 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-16335 | > | | 2.9.10 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > com.zaxxer.hikari.HikariDataSource | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-16335 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-16942 | > | | 2.9.10.1 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > org.apache.commons.dbcp.datasources.* | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-16942 | > + +------------------+ > + + > +---------------------------------------------------------------+ > | | CVE-2019-16943 | > | | | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > com.p6spy.engine.spy.P6DataSource | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-16943 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-17267 | > | | 2.9.10 | jackson-databind: > Serialization | > | | | > | | | gadgets in classes > of | > | | | > | | | the ehcache > package | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-17267 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-17531 | > | | 2.9.10.1 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > org.apache.log4j.receivers.db.* | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-17531 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-20330 | > | | 2.8.11.5, 2.9.10.2 | jackson-databind: > lacks | > | | | > | | | certain > net.sf.ehcache blocking | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-20330 | > + > +------------------+----------+ > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-5968 | HIGH > | | 2.7.9.5, 2.8.11.1, 2.9.4 | jackson-databind: > unsafe | > | | | > | | | deserialization > due to incomplete | > | | | > | | | blacklist > (incomplete fix | > | | | > | | | for CVE-2017-7525 > and... | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-5968 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2020-35490 | > | | 2.9.10.8 | jackson-databind: > mishandles the interaction | > | | | > | | | between > serialization gadgets and typing, related to | > | | | > | | | > org.apache.commons.dbcp2.datasources.PerUserPoolDataSource... | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2020-35490 | > + +------------------+ > + + > +---------------------------------------------------------------+ > | | CVE-2020-35491 | > | | | jackson-databind: > mishandles the interaction | > | | | > | | | between > serialization gadgets and typing, related to | > | | | > | | | > org.apache.commons.dbcp2.datasources.SharedPoolDataSource... | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2020-35491 | > + > +------------------+----------+ > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-1000873 | MEDIUM > | | 2.9.8 | > jackson-modules-java8: DoS due | > | | | > | | | to an Improper > Input Validation | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-1000873 | > + > +------------------+----------+--------------------+--------------------------------+---------------------------------------------------------------+ > | | CVE-2017-15095 | > CRITICAL | 2.4.0 | 2.7.9.2, 2.8.10, 2.9.1 | > jackson-databind: Unsafe | > | | | > | | | deserialization > due to | > | | | > | | | incomplete black > list (incomplete | > | | | > | | | fix for > CVE-2017-7525)... | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2017-15095 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-11307 | > | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind: > Potential | > | | | > | | | information > exfiltration with | > | | | > | | | default typing, > serialization | > | | | > | | | gadget from > MyBatis | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-11307 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-14718 | > | | 2.6.7.2, 2.9.7 | jackson-databind: > arbitrary code | > | | | > | | | execution in > slf4j-ext class | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-14718 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-7489 | > | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind: > incomplete fix | > | | | > | | | for CVE-2017-7525 > permits unsafe | > | | | > | | | serialization via > c3p0 libraries | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-7489 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-14540 | > | | 2.9.10 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > com.zaxxer.hikari.HikariConfig | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-14540 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-14893 | > | | 2.8.11.5, 2.9.10 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | classes of the > xalan package | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-14893 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-16335 | > | | 2.9.10 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > com.zaxxer.hikari.HikariDataSource | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-16335 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-16942 | > | | 2.9.10.1 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > org.apache.commons.dbcp.datasources.* | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-16942 | > + +------------------+ > + + > +---------------------------------------------------------------+ > | | CVE-2019-16943 | > | | | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > com.p6spy.engine.spy.P6DataSource | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-16943 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-17267 | > | | 2.9.10 | jackson-databind: > Serialization | > | | | > | | | gadgets in classes > of | > | | | > | | | the ehcache > package | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-17267 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-17531 | > | | 2.9.10.1 | jackson-databind: > | > | | | > | | | Serialization > gadgets in | > | | | > | | | > org.apache.log4j.receivers.db.* | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-17531 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2019-20330 | > | | 2.8.11.5, 2.9.10.2 | jackson-databind: > lacks | > | | | > | | | certain > net.sf.ehcache blocking | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2019-20330 | > + > +------------------+----------+ > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-5968 | HIGH > | | 2.7.9.5, 2.8.11.1, 2.9.4 | jackson-databind: > unsafe | > | | | > | | | deserialization > due to incomplete | > | | | > | | | blacklist > (incomplete fix | > | | | > | | | for CVE-2017-7525 > and... | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-5968 | > + +------------------+ > + > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2020-35490 | > | | 2.9.10.8 | jackson-databind: > mishandles the interaction | > | | | > | | | between > serialization gadgets and typing, related to | > | | | > | | | > org.apache.commons.dbcp2.datasources.PerUserPoolDataSource... | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2020-35490 | > + +------------------+ > + + > +---------------------------------------------------------------+ > | | CVE-2020-35491 | > | | | jackson-databind: > mishandles the interaction | > | | | > | | | between > serialization gadgets and typing, related to | > | | | > | | | > org.apache.commons.dbcp2.datasources.SharedPoolDataSource... | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2020-35491 | > + > +------------------+----------+ > > +--------------------------------+---------------------------------------------------------------+ > | | CVE-2018-1000873 | MEDIUM > | | 2.9.8 | > jackson-modules-java8: DoS due | > | | | > | | | to an Improper > Input Validation | > | | | > | | | --> > avd.aquasec.com/nvd/cve-2018-1000873 | > +---------------------------------------------+------------------+ > > +--------------------+--------------------------------+---------------------------------------------------------------+ > > > Rajesh Krishnamurthy | Enterprise Architect > T: +1 510-833-7189 | M: +1 925-917-9208 > http://www.perforce.com > Visit us on: Twitter > <https://nam12.safelinks.protection.outlook.com/?url=https://twitter.com/perforce&data=04%7c01%7crkrishnamur...@perforce.com%7C67639f41e2f0452b409608d96814840a%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637655259607389020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=66YlLKPkoZeh1CyMFzjEG8eFva8EmsPSvRqUFtEf960=&reserved=0> > | LinkedIn > <https://nam12.safelinks.protection.outlook.com/?url=https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7c01%7crkrishnamur...@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=03F8rlgn5xcYUU3pEkCe85X+Bs4q/WfHlXCne+MshaI=&reserved=0> > | Facebook > <https://nam12.safelinks.protection.outlook.com/?url=https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7c01%7crkrishnamur...@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=Jlq031LQ06isyWhiwRQSrTiJnjEZzUc38nULB2yIt5w=&reserved=0> > > On Feb 15, 2022, at 11:00 AM, Sean Owen <sro...@gmail.com> wrote: > > I think these are readily answerable if you look at the text of the CVEs > and Spark 3.0.3 release. > > https://nvd.nist.gov/vuln/detail/CVE-2019-17531 > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2019-17531&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DFkFTOj2wi6wUWuphc1UTKIH5%2FZWlacRwXrUwOTTxC8%3D&reserved=0> > concerns Jackson Databind up to 2.9.10, but you can see that 3.0.3 uses > 2.10.0 > https://nvd.nist.gov/vuln/detail/CVE-2020-9480 > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2020-9480&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zm8sdTWK5ElbuUVaxR9YU6GHsUktwve%2BFFJ%2FtSfhXrk%3D&reserved=0> > affects Spark 2.x, not 3.x > https://nvd.nist.gov/vuln/detail/CVE-2019-0204 > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2019-0204&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SitP6ks1br69ag37IwHO%2FhPFrlecU1cYRzCL7VtOI%2Bc%3D&reserved=0> > does not appear related to Spark > > On Tue, Feb 15, 2022 at 12:40 PM Rajesh Krishnamurthy < > rkrishnamur...@perforce.com> wrote: > >> Hi Sean, >> >> I am looking for fixing the vulnerabilities such as these in the 3.0.X >> branch. >> >> 1) >> CVE-2019-17531 >> 2)CVE-2020-9480 >> 3)CVE-2019-0204 >> >> >> Rajesh Krishnamurthy | Enterprise Architect >> T: +1 510-833-7189 | M: +1 925-917-9208 >> http://www.perforce.com >> Visit us on: Twitter >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FMZb8bkbnxpR%2BmZxuyzGcELq4lbZfJAGs4tEJKKacdA%3D&reserved=0> >> | LinkedIn >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OQTGeBW%2BdgPpdIne2k0MtH1haWzoTl08V0ehpsxKM3A%3D&reserved=0> >> | Facebook >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fjXWLbLkE0I6OGNcMHWhYttqeCaUtOhxMJVrIAVYQr4%3D&reserved=0> >> >> On Feb 14, 2022, at 1:52 PM, Sean Owen <sro...@gmail.com> wrote: >> >> What vulnerabilities are you referring to? I'm not aware of any critical >> outstanding issues, but not sure what you have in mind either. >> See https://spark.apache.org/versioning-policy.html >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspark.apache.org%2Fversioning-policy.html&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sjHitTI8rpK1fRpV2i%2B1CJuJsHxg1wT7hRcQ%2BMjoZbQ%3D&reserved=0> >> - 3.0.x is EOL about now, which doesn't mean there can't be another >> release, but would not generally expect one. >> >> On Mon, Feb 14, 2022 at 3:48 PM Rajesh Krishnamurthy < >> rkrishnamur...@perforce.com> wrote: >> >>> Hi Sean, >>> >>> Thanks for the response. Does the community have any plans of fixing >>> any vulnerabilities that have been identified in the 3.0.3 version? Do you >>> have any fixed date that 3.0.x is going to be EOL? >>> >>> >>> >>> Rajesh Krishnamurthy | Enterprise Architect >>> T: +1 510-833-7189 | M: +1 925-917-9208 >>> http://www.perforce.com >>> Visit us on: Twitter >>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FMZb8bkbnxpR%2BmZxuyzGcELq4lbZfJAGs4tEJKKacdA%3D&reserved=0> >>> | LinkedIn >>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OQTGeBW%2BdgPpdIne2k0MtH1haWzoTl08V0ehpsxKM3A%3D&reserved=0> >>> | Facebook >>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fjXWLbLkE0I6OGNcMHWhYttqeCaUtOhxMJVrIAVYQr4%3D&reserved=0> >>> >>> On Feb 11, 2022, at 3:09 PM, Sean Owen <sro...@gmail.com> wrote: >>> >>> 3.0.x is about EOL now, and I hadn't heard anyone come forward to push a >>> final maintenance release. Is there a specific issue you're concerned about? >>> >>> On Fri, Feb 11, 2022 at 4:24 PM Rajesh Krishnamurthy < >>> rkrishnamur...@perforce.com> wrote: >>> >>>> Hi there, >>>> >>>> We are just wondering if there are any agenda by the Spark community >>>> to actively engage development activities on the 3.0.x path. I know we have >>>> the latest version of Spark with 3.2.x, but we are just wondering if any >>>> development plans to have the vulnerabilities fixed on the 3.0.x path that >>>> were identified on the 3.0.3 version, so that we don’t need to migrate to >>>> next major version(3.1.x in this case), but at the same time all the >>>> vulnerabilities fixed within the minor version upgrade(eg:3.0.x) >>>> >>>> >>>> Rajesh Krishnamurthy | Enterprise Architect >>>> T: +1 510-833-7189 | M: +1 925-917-9208 >>>> http://www.perforce.com >>>> Visit us on: Twitter >>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FMZb8bkbnxpR%2BmZxuyzGcELq4lbZfJAGs4tEJKKacdA%3D&reserved=0> >>>> | LinkedIn >>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OQTGeBW%2BdgPpdIne2k0MtH1haWzoTl08V0ehpsxKM3A%3D&reserved=0> >>>> | Facebook >>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fjXWLbLkE0I6OGNcMHWhYttqeCaUtOhxMJVrIAVYQr4%3D&reserved=0> >>>> >>>> >>>> This e-mail may contain information that is privileged or confidential. >>>> If you are not the intended recipient, please delete the e-mail and any >>>> attachments and notify us immediately. >>>> >>>> >>> >>> *CAUTION:* This email originated from outside of the organization. Do >>> not click on links or open attachments unless you recognize the sender and >>> know the content is safe. >>> >>> >>> >>> This e-mail may contain information that is privileged or confidential. >>> If you are not the intended recipient, please delete the e-mail and any >>> attachments and notify us immediately. >>> >>> >> >> *CAUTION:* This email originated from outside of the organization. Do >> not click on links or open attachments unless you recognize the sender and >> know the content is safe. >> >> >> >> This e-mail may contain information that is privileged or confidential. >> If you are not the intended recipient, please delete the e-mail and any >> attachments and notify us immediately. >> >> > > *CAUTION:* This email originated from outside of the organization. Do not > click on links or open attachments unless you recognize the sender and know > the content is safe. > > > > This e-mail may contain information that is privileged or confidential. If > you are not the intended recipient, please delete the e-mail and any > attachments and notify us immediately. > >
