[SPARK-14897] Upgrade Jetty to latest version of 8/9 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0.0
Component/s: None
Labels:
- web-ui

Flags:

Important
External issue ID:
http://www.securityweek.com/critical-vulnerability-found-jetty-web-server

Description

It looks like the head/master branch of Spark uses quite an old version of Jetty: 8.1.14.v20131031

There have been some announcement of security vulnerabilities, notably in 2015 and there are versions of both 8 and 9 that address those. We recently left a web-ui port open and had the server compromised within days. Albeit, this upgrade shouldn't be the only security improvement made, the current version is clearly vulnerable, as-is.

Attachments

Issue Links

links to

[Github] Pull Request #12842 (srowen)

[Github] Pull Request #12916 (bomeng)

Activity

People

Assignee:: Bo Meng

Reporter:: Adam Kramer

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 25/Apr/16 18:14

Updated:: 12/May/16 19:08

Resolved:: 12/May/16 19:07