New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SPARK-36129][BUILD] Upgrade commons-compress to 1.21 to deal with CVEs #33333
Conversation
Kubernetes integration test unable to build dist. exiting with code: 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, LGTM. Thank you, @sarutak and @HyukjinKwon . Merged to master/3.2.
### What changes were proposed in this pull request? This PR upgrades `commons-compress` from `1.20` to `1.21` to deal with CVEs. ### Why are the changes needed? Some CVEs which affect `commons-compress 1.20` are reported and fixed in `1.21`. https://commons.apache.org/proper/commons-compress/security-reports.html * CVE-2021-35515 * CVE-2021-35516 * CVE-2021-35517 * CVE-2021-36090 The severities are reported as low for all the CVEs but it would be better to deal with them just in case. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI. Closes #33333 from sarutak/upgrade-commons-compress-1.21. Authored-by: Kousuke Saruta <sarutak@oss.nttdata.com> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org> (cherry picked from commit fd06cc2) Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
@gengliangwang I landed this to branch-3.2 since this is related to some CVEs. |
BTW, for the other old branches, we might need to revisit. |
Yeah, I'll do it. Thanks! |
Test build #140993 has finished for PR 33333 at commit
|
Thank you @sarutak @dongjoon-hyun |
…th CVEs ### What changes were proposed in this pull request? This PR backports the change of SPARK-36129 (#33333) which upgrades `commons-compress` from `1.20` to `1.21` to deal with CVEs. ### Why are the changes needed? Some CVEs which affect `commons-compress 1.20` are reported and fixed in `1.21`. https://commons.apache.org/proper/commons-compress/security-reports.html * CVE-2021-35515 * CVE-2021-35516 * CVE-2021-35517 * CVE-2021-36090 The severities are reported as low for all the CVEs but it would be better to deal with them just in case. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI. Closes #33338 from sarutak/backport-SPARK-36129-branch-3.1. Authored-by: Kousuke Saruta <sarutak@oss.nttdata.com> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
…th CVEs ### What changes were proposed in this pull request? This PR backports the change of SPARK-36129 (#33333) which upgrades `commons-compress` from `1.20` to `1.21` to deal with CVEs. ### Why are the changes needed? Some CVEs which affect `commons-compress 1.20` are reported and fixed in `1.21`. https://commons.apache.org/proper/commons-compress/security-reports.html * CVE-2021-35515 * CVE-2021-35516 * CVE-2021-35517 * CVE-2021-36090 The severities are reported as low for all the CVEs but it would be better to deal with them just in case. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI. Closes #33337 from sarutak/backport-SPARK-36129-branch-3.0. Authored-by: Kousuke Saruta <sarutak@oss.nttdata.com> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
…th CVEs This PR backports the change of SPARK-36129 (apache#33333) which upgrades `commons-compress` from `1.20` to `1.21` to deal with CVEs. Some CVEs which affect `commons-compress 1.20` are reported and fixed in `1.21`. https://commons.apache.org/proper/commons-compress/security-reports.html * CVE-2021-35515 * CVE-2021-35516 * CVE-2021-35517 * CVE-2021-36090 The severities are reported as low for all the CVEs but it would be better to deal with them just in case. No. CI. Closes apache#33338 from sarutak/backport-SPARK-36129-branch-3.1. Authored-by: Kousuke Saruta <sarutak@oss.nttdata.com> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
What changes were proposed in this pull request?
This PR upgrades
commons-compress
from1.20
to1.21
to deal with CVEs.Why are the changes needed?
Some CVEs which affect
commons-compress 1.20
are reported and fixed in1.21
.https://commons.apache.org/proper/commons-compress/security-reports.html
The severities are reported as low for all the CVEs but it would be better to deal with them just in case.
Does this PR introduce any user-facing change?
No.
How was this patch tested?
CI.