I think it's fine to backport that to 3.3.x, regardless of whether it clearly affects Spark or not.
On Tue, Oct 4, 2022 at 11:31 AM phoebe chen <phoebe.mao...@gmail.com> wrote: > Hi: > (Not sure if this mailing group is good to use for such question, but just > try my luck here, thanks) > > SPARK-39725 <https://issues.apache.org/jira/browse/SPARK-39725> has > fix for security issues CVE-2022-2047 and CVE2022-2048 (High), which was > set to 3.4.0 release but that will happen Feb 2023. Is it possible to have > it in any earlier release such as 3.3.1 or 3.3.2? > > >