Skip to content

Comments

[SPARK-39540][BUILD] Upgrade mysql-connector-java to 8.0.29#36938

Closed
bjornjorgensen wants to merge 2 commits intoapache:masterfrom
bjornjorgensen:Upgrade-mysql-connector-java-to-8.0.28
Closed

[SPARK-39540][BUILD] Upgrade mysql-connector-java to 8.0.29#36938
bjornjorgensen wants to merge 2 commits intoapache:masterfrom
bjornjorgensen:Upgrade-mysql-connector-java-to-8.0.28

Conversation

@bjornjorgensen
Copy link
Contributor

@bjornjorgensen bjornjorgensen commented Jun 21, 2022

What changes were proposed in this pull request?

Upgrade mysql-connector-java from 8.0.27 to 8.0.29

Why are the changes needed?

Improper Handling of Insufficient Permissions or Privileges in MySQL Connectors Java.

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2022-21363

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Pass GA

@github-actions github-actions bot added the BUILD label Jun 21, 2022
@bjornjorgensen bjornjorgensen changed the title [SPARK] Upgrade mysql-connector-java to 8.0.28 [SPARK-39540][BUILD] Upgrade mysql-connector-java to 8.0.28 Jun 21, 2022
@bjornjorgensen
Copy link
Contributor Author

There are a newer realase out 8.0.29

Copy link
Member

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May I ask why you did choose 8.0.28 over 8.0.29, @bjornjorgensen ?

There are a newer realase out 8.0.29

@bjornjorgensen
Copy link
Contributor Author

@dongjoon-hyun Yes, this PR is made to get rid of the CVE, but if you will have .29 I can change this PR, or let those that need version .29 upgrade to it.

@dongjoon-hyun
Copy link
Member

If JDBC integration tests pass with 8.0.29 too, yes, please upgrade to 8.0.29. Otherwise, someone else will make another PR for that very soon.

@bjornjorgensen bjornjorgensen changed the title [SPARK-39540][BUILD] Upgrade mysql-connector-java to 8.0.28 [SPARK-39540][BUILD] Upgrade mysql-connector-java to 8.0.29 Jun 21, 2022
@bjornjorgensen
Copy link
Contributor Author

@dongjoon-hyun Ok, now we have a test run with .29.
Thank you.

@dongjoon-hyun dongjoon-hyun changed the title [SPARK-39540][BUILD] Upgrade mysql-connector-java to 8.0.29 [SPARK-39540][BUILD] Upgrade mysql-connector-java to 8.0.29 Jun 21, 2022
Copy link
Member

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, LGTM (Pending CIs)

Copy link
Member

@srowen srowen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine, though as a test-only dependency this would not affect Spark users.
I wonder if we can upgrade further? but a minor bump is OK.

@dongjoon-hyun
Copy link
Member

Yes, this PR aims to use the latest one, 8.0.29.

Merged to master.

@bjornjorgensen bjornjorgensen deleted the Upgrade-mysql-connector-java-to-8.0.28 branch August 5, 2022 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants