Upgraded by https://github.com/apache/spark/pull/56373 and ZooKeeper is already using 3.9.5 in the dev branch. We upgraded this in the dev branch but did not backport to branch-4.x and older because it does not directly affect Spark itself. They are artifact-level false positives.
On Tue, 9 Jun 2026 at 21:49, Alam, Shahnoor via user <[email protected]> wrote: > Hi Spark Developers, > > I hope you are all having a good week. > > I recently opened *[*https://issues.apache.org/jira/browse/SPARK-57343*]* > regarding > outdated dependencies bundled within the PySpark distribution on PyPI. > > Currently, the pyspark pip package bundles pre-compiled JARs for Netty ( > 4.2.7.Final) and ZooKeeper (3.9.4) into the site-packages/pyspark/jars/ > directory. > Because these specific versions are flagged for recent High/Critical CVEs > (including CVE-2026-44249 for Netty and CVE-2026-24281 for ZooKeeper), > standard enterprise container security scanners (like Prisma Cloud) are > forcefully failing immutable Docker image builds when pyspark is > installed. > > Because downstream users cannot surgically delete or swap these bundled > JARs in locked CI/CD pipelines without risking PySpark instability, we are > currently blocked from deploying the latest PySpark releases. > > *The Request:* Could we look into bumping the internal Maven build > properties for PySpark to pull the latest secure patches before the next > release cycle? > > - > > io.netty:* -> *4.2.15.Final* > - > > org.apache.zookeeper:zookeeper -> *3.9.5* > > All the specific CVE details and file paths are attached to the Jira > ticket for reference. > > Thank you for your time and for all the hard work you put into maintaining > Spark! > > Regards, > Shahnoor > > ------------------------------ > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. Where allowed > by local law, electronic communications with Accenture and its affiliates, > including e-mail and instant messaging (including content), may be scanned > by our systems for the purposes of information security, AI-powered support > capabilities, and assessment of internal compliance with Accenture policy. > Your privacy is important to us. Accenture uses your personal data only in > compliance with data protection laws. For further information on how > Accenture processes your personal data, please see our privacy statement at > https://www.accenture.com/us-en/privacy-policy. > > ______________________________________________________________________________________ > > www.accenture.com >
