-
Notifications
You must be signed in to change notification settings - Fork 28.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SPARK-38784][CORE] Upgrade Jetty to 9.4.46 #36229
Conversation
@@ -139,7 +139,7 @@ | |||
<derby.version>10.14.2.0</derby.version> | |||
<parquet.version>1.12.2</parquet.version> | |||
<orc.version>1.7.4</orc.version> | |||
<jetty.version>9.4.44.v20210927</jetty.version> | |||
<jetty.version>9.4.46.v20220331</jetty.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, could you update the dependency manifest?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, I thought it didn't generate changes when I ran, but it does. (Actually it caused a bunch of unrelated changes in the hadoop 2 profile, but I reverted those.) Added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it was a bug of Apache Maven 3.8.5. If you use the latest version (like Home-brew maven), it ignores the dependency from profiles. Recently, I uninstalled man
from Homebrew and use build/mvnw
always to avoid that issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### What changes were proposed in this pull request? Upgrade Jetty to 9.4.46 ### Why are the changes needed? Three CVEs, which don't necessarily appear to affect Spark, are fixed in this version. Just housekeeping. CVE-2021-28169 CVE-2021-34428 CVE-2021-34429 ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Existing tests Closes #36229 from srowen/SPARK-38784. Authored-by: Sean Owen <srowen@gmail.com> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org> (cherry picked from commit 619b7b4) Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
What changes were proposed in this pull request?
Upgrade Jetty to 9.4.46
Why are the changes needed?
Three CVEs, which don't necessarily appear to affect Spark, are fixed in this version. Just housekeeping.
CVE-2021-28169
CVE-2021-34428
CVE-2021-34429
Does this PR introduce any user-facing change?
No
How was this patch tested?
Existing tests