Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-13471

Upgrade spark-project hive 1.2.1 jar to one with a groovy 2.4.4 dependency

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • 1.6.0
    • None
    • SQL
    • None

    Description

      The version of groovy that Hive 1.2.1 is built with contains a serialization vulnerability,

      While this shouldn't expose Spark to any attacks (it doesn't need the groovy artifacts to work), the POMs may still export that transitive groovy dependency.

      Fix: declare that org.spark-project.hive depends on groovy 2.4.4, rebuild and republish, update spark dependencies to new version

      Attachments

        Issue Links

          is superceded by

          Improvement - An improvement or enhancement to an existing feature or task. SPARK-13599 Groovy-all ends up in spark-assembly if hive profile set

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          links to

          Pull request #11346 [Github] Pull Request #11346 (steveloughran)

          Pull request #11446 [Github] Pull Request #11446 (steveloughran)

          Activity

            People

              Unassigned Unassigned
              stevel@apache.org Steve Loughran
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: