Hi Hyukjin, Thank you for your earlier response and for clarifying the upgrades made in the dev branch. I wanted to follow up regarding the recent PR—https://github.com/apache/spark/pull/56373<https://urldefense.com/v3/__https://github.com/apache/spark/pull/56373__;!!OrxsNty6D4my!4gKS9QkeBZoCGnF8cL_7xIgGusGAG7kAYU2ZuDIrpG-iVCtW5bvs5TgvpSf9TCDMGviRhgMcaGfylrGMNFoGqTnh$> —and ask for some additional details.
Could you please confirm whether the following CVEs have been addressed in this PR? - CVE-2026-33870 - CVE-2026-33871 - CVE-2026-42577 - CVE-2026-42579 - CVE-2026-42582 - CVE-2026-42583 - CVE-2026-42584 - CVE-2026-42587 Additionally, could you confirm whether there are plans to patch Netty 4.2.15.Final and ZooKeeper 3.9.5 so they become commercially available? If so, could you provide an estimate of how long this might take? If you could provide insight on whether these vulnerabilities are now resolved, it would be greatly appreciated. This information will help us ensure compliance with our enterprise container security requirements and facilitate a smoother deployment process. Thanks again for your support and all the work you put into Spark! Looking forward to your update. Regards, Shahnoor From: Alam, Shahnoor <[email protected]> Date: Thursday, 11 June 2026 at 3:35 PM To: Hyukjin Kwon <[email protected]>; [email protected] <[email protected]> Cc: [email protected] <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]>; Singh, Manoj <[email protected]>; Fatima Ansari, Nuzhat <[email protected]>; Misra Parashar, Jyoti <[email protected]>; Shukla, Vidur <[email protected]>; George, Rejish <[email protected]>; Dussa, Hanisha <[email protected]>; Kumar Sharma, Rohit B. <[email protected]> Subject: Re: [External] Re: [SECURITY] Request to bump bundled Netty and ZooKeeper in PySpark (Blocks Enterprise Scanners) - [SPARK-57343] Thanks for the response Hyukjin. Since we are using PySpark version 4.1.1, could you confirm whether there are plans to patch Netty 4.2.15.Final and ZooKeeper 3.9.5 so they become commercially available? If so, could you provide an estimate of how long this might take? Regards, Shahnoor From: Hyukjin Kwon <[email protected]> Date: Wednesday, 10 June 2026 at 11:40 AM To: [email protected] <[email protected]> Cc: [email protected] <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]>; Singh, Manoj <[email protected]>; Fatima Ansari, Nuzhat <[email protected]>; Misra Parashar, Jyoti <[email protected]>; Shukla, Vidur <[email protected]>; George, Rejish <[email protected]>; Dussa, Hanisha <[email protected]>; Kumar Sharma, Rohit B. <[email protected]>; Alam, Shahnoor <[email protected]> Subject: [External] Re: [SECURITY] Request to bump bundled Netty and ZooKeeper in PySpark (Blocks Enterprise Scanners) - [SPARK-57343] WARNING: External email. Be vigilant with links, attachments, and requests. Upgraded by https://github.com/apache/spark/pull/56373<https://urldefense.com/v3/__https://github.com/apache/spark/pull/56373__;!!OrxsNty6D4my!4gKS9QkeBZoCGnF8cL_7xIgGusGAG7kAYU2ZuDIrpG-iVCtW5bvs5TgvpSf9TCDMGviRhgMcaGfylrGMNFoGqTnh$> and ZooKeeper is already using 3.9.5 in the dev branch. We upgraded this in the dev branch but did not backport to branch-4.x and older because it does not directly affect Spark itself. They are artifact-level false positives. On Tue, 9 Jun 2026 at 21:49, Alam, Shahnoor via user <[email protected]<mailto:[email protected]>> wrote: Hi Spark Developers, I hope you are all having a good week. I recently opened [https://issues.apache.org/jira/browse/SPARK-57343<https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SPARK-57343__;!!OrxsNty6D4my!4gKS9QkeBZoCGnF8cL_7xIgGusGAG7kAYU2ZuDIrpG-iVCtW5bvs5TgvpSf9TCDMGviRhgMcaGfylrGMNH2ORvLw$>] regarding outdated dependencies bundled within the PySpark distribution on PyPI. Currently, the pyspark pip package bundles pre-compiled JARs for Netty (4.2.7.Final) and ZooKeeper (3.9.4) into the site-packages/pyspark/jars/ directory. Because these specific versions are flagged for recent High/Critical CVEs (including CVE-2026-44249 for Netty and CVE-2026-24281 for ZooKeeper), standard enterprise container security scanners (like Prisma Cloud) are forcefully failing immutable Docker image builds when pyspark is installed. Because downstream users cannot surgically delete or swap these bundled JARs in locked CI/CD pipelines without risking PySpark instability, we are currently blocked from deploying the latest PySpark releases. The Request: Could we look into bumping the internal Maven build properties for PySpark to pull the latest secure patches before the next release cycle? * io.netty:* -> 4.2.15.Final * org.apache.zookeeper:zookeeper -> 3.9.5 All the specific CVE details and file paths are attached to the Jira ticket for reference. Thank you for your time and for all the hard work you put into maintaining Spark! Regards, Shahnoor ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security, AI-powered support capabilities, and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. ______________________________________________________________________________________ www.accenture.com<http://www.accenture.com>
