[SPARK-45590] okio-1.15.0 CVE-2023-3635 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.4.0, 3.5.0, 4.0.0
Fix Version/s: 4.0.0, 3.4.4, 3.5.3
Component/s: Build
Labels:
- pull-request-available

Description

CVE-2023-3635 is being flagged against okio-1.15.0 present in the Spark 3.5.0 build:

./spark-3.5.0-bin-without-hadoop/jars/okio-1.15.0.jar
./spark-3.5.0-bin-hadoop3/jars/okio-1.15.0.jar

I don't see okio in the dependency tree, it must be coming in via some profile.

Attachments

Issue Links

links to

GitHub Pull Request #47758

GitHub Pull Request #47769

GitHub Pull Request #47770

Activity

People

Assignee:: Gabor Roczei

Reporter:: Colm O hEigeartaigh

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 18/Oct/23 06:49

Updated:: 16/Aug/24 02:19

Resolved:: 16/Aug/24 02:12