Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
1.6.0
-
None
-
None
Description
The version of groovy that Hive 1.2.1 is built with contains a serialization vulnerability,
While this shouldn't expose Spark to any attacks (it doesn't need the groovy artifacts to work), the POMs may still export that transitive groovy dependency.
Fix: declare that org.spark-project.hive depends on groovy 2.4.4, rebuild and republish, update spark dependencies to new version
Attachments
Issue Links
- is superceded by
-
SPARK-13599 Groovy-all ends up in spark-assembly if hive profile set
- Resolved
- links to