From f7ac0dbe63cda76fa1882574234780f1d5e14858 Mon Sep 17 00:00:00 2001 From: Kousuke Saruta Date: Thu, 8 Apr 2021 10:42:12 -0500 Subject: [PATCH] [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 ### What changes were proposed in this pull request? This PR backports #32091. This PR upgrades the version of Jetty to 9.4.39. ### Why are the changes needed? CVE-2021-28165 affects the version of Jetty that Spark uses and it seems to be a little bit serious. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28165 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Existing tests. Closes #32093 from sarutak/backport-SPARK-34988. Authored-by: Kousuke Saruta Signed-off-by: Sean Owen --- dev/deps/spark-deps-hadoop-3.1 | 4 ++-- pom.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dev/deps/spark-deps-hadoop-3.1 b/dev/deps/spark-deps-hadoop-3.1 index 90775e162ddfd..7e0871be30180 100644 --- a/dev/deps/spark-deps-hadoop-3.1 +++ b/dev/deps/spark-deps-hadoop-3.1 @@ -116,8 +116,8 @@ jersey-container-servlet/2.22.2//jersey-container-servlet-2.22.2.jar jersey-guava/2.22.2//jersey-guava-2.22.2.jar jersey-media-jaxb/2.22.2//jersey-media-jaxb-2.22.2.jar jersey-server/2.22.2//jersey-server-2.22.2.jar -jetty-webapp/9.4.36.v20210114//jetty-webapp-9.4.36.v20210114.jar -jetty-xml/9.4.36.v20210114//jetty-xml-9.4.36.v20210114.jar +jetty-webapp/9.4.39.v20210325//jetty-webapp-9.4.39.v20210325.jar +jetty-xml/9.4.39.v20210325//jetty-xml-9.4.39.v20210325.jar jline/2.14.6//jline-2.14.6.jar joda-time/2.9.3//joda-time-2.9.3.jar jodd-core/3.5.2//jodd-core-3.5.2.jar diff --git a/pom.xml b/pom.xml index 2b51d4d76128e..972c359bbfe80 100644 --- a/pom.xml +++ b/pom.xml @@ -134,7 +134,7 @@ 1.5.5 nohive 1.6.0 - 9.4.36.v20210114 + 9.4.39.v20210325 3.1.0 0.9.3 2.4.0