-
Notifications
You must be signed in to change notification settings - Fork 28.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SPARK-11652] [CORE] Remote code execution with InvokerTransformer #9731
Conversation
…e execution vulnerability
Test build #45991 has finished for PR 9731 at commit
|
Test build #2064 has finished for PR 9731 at commit
|
I'm going to go ahead and merge this, as it's a bug fix update anyway, passes, and should make sure there's no exploit of this form. We may not be alone in getting some alarmed customer questions about this, even though I suspect there is no actual exploit in Spark. |
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability Author: Sean Owen <[email protected]> Closes #9731 from srowen/SPARK-11652. (cherry picked from commit 9631ca3) Signed-off-by: Sean Owen <[email protected]>
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability Author: Sean Owen <[email protected]> Closes #9731 from srowen/SPARK-11652. (cherry picked from commit 9631ca3) Signed-off-by: Sean Owen <[email protected]>
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability Author: Sean Owen <[email protected]> Closes #9731 from srowen/SPARK-11652. (cherry picked from commit 9631ca3) Signed-off-by: Sean Owen <[email protected]>
Merged to master/1.6/1.5/1.4 |
@srowen I can't find this jar file, can you give me a download url? |
@srowen I only find below commons-collection file:
|
@XuTingjun commons-collections? just search Maven Central |
I think the groupId should be "commons-collections", not "org.apache.commons", right? |
Oh dang it, yes the group is only |
ok, please fix it as soon as possible, thanks. |
See #10198 |
Fix commons-collection group ID to commons-collections for version 3.x Patches earlier PR at #9731 Author: Sean Owen <[email protected]> Closes #10198 from srowen/SPARK-11652.2. (cherry picked from commit e3735ce) Signed-off-by: Sean Owen <[email protected]>
Fix commons-collection group ID to commons-collections for version 3.x Patches earlier PR at #9731 Author: Sean Owen <[email protected]> Closes #10198 from srowen/SPARK-11652.2. (cherry picked from commit e3735ce) Signed-off-by: Sean Owen <[email protected]>
Fix commons-collection group ID to commons-collections for version 3.x Patches earlier PR at #9731 Author: Sean Owen <[email protected]> Closes #10198 from srowen/SPARK-11652.2. (cherry picked from commit e3735ce) Signed-off-by: Sean Owen <[email protected]>
Fix commons-collection group ID to commons-collections for version 3.x Patches earlier PR at #9731 Author: Sean Owen <[email protected]> Closes #10198 from srowen/SPARK-11652.2.
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability