Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SPARK-11652] [CORE] Remote code execution with InvokerTransformer #9731

Closed
wants to merge 1 commit into from
Closed

[SPARK-11652] [CORE] Remote code execution with InvokerTransformer #9731

wants to merge 1 commit into from

Conversation

srowen
Copy link
Member

@srowen srowen commented Nov 16, 2015

Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability

@SparkQA
Copy link

SparkQA commented Nov 16, 2015

Test build #45991 has finished for PR 9731 at commit 0828753.

  • This patch fails Spark unit tests.
  • This patch merges cleanly.
  • This patch adds the following public classes (experimental):\n * case class JSONOptions(\n

@SparkQA
Copy link

SparkQA commented Nov 16, 2015

Test build #2064 has finished for PR 9731 at commit 0828753.

  • This patch passes all tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

@srowen
Copy link
Member Author

srowen commented Nov 17, 2015

I'm going to go ahead and merge this, as it's a bug fix update anyway, passes, and should make sure there's no exploit of this form. We may not be alone in getting some alarmed customer questions about this, even though I suspect there is no actual exploit in Spark.

asfgit pushed a commit that referenced this pull request Nov 18, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
34ded83 
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability

Author: Sean Owen <[email protected]>

Closes #9731 from srowen/SPARK-11652.

(cherry picked from commit 9631ca3)
Signed-off-by: Sean Owen <[email protected]>
@asfgit asfgit closed this in 9631ca3 Nov 18, 2015
asfgit pushed a commit that referenced this pull request Nov 18, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
0ed6d9c 
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability

Author: Sean Owen <[email protected]>

Closes #9731 from srowen/SPARK-11652.

(cherry picked from commit 9631ca3)
Signed-off-by: Sean Owen <[email protected]>
asfgit pushed a commit that referenced this pull request Nov 18, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
073c89f 
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability

Author: Sean Owen <[email protected]>

Closes #9731 from srowen/SPARK-11652.

(cherry picked from commit 9631ca3)
Signed-off-by: Sean Owen <[email protected]>
@srowen
Copy link
Member Author

srowen commented Nov 18, 2015

Merged to master/1.6/1.5/1.4

@srowen srowen deleted the SPARK-11652 branch November 18, 2015 10:55
@XuTingjun
Copy link
Contributor

@srowen I can't find this jar file, can you give me a download url?

@XuTingjun
Copy link
Contributor

@srowen I only find below commons-collection file:

<groupId>commons-collections</groupId>
  <artifactId>commons-collections</artifactId>
  <version>3.2.2</version>

@srowen
Copy link
Member Author

srowen commented Dec 8, 2015

@XuTingjun commons-collections? just search Maven Central
http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22commons-collections%22%20AND%20a%3A%22commons-collections%22

@XuTingjun
Copy link
Contributor

I think the groupId should be "commons-collections", not "org.apache.commons", right?

@srowen
Copy link
Member Author

srowen commented Dec 8, 2015

Oh dang it, yes the group is only org.apache.commons in version 4. Right now this does nothing. PR coming ...

@XuTingjun
Copy link
Contributor

ok, please fix it as soon as possible, thanks.

@srowen srowen mentioned this pull request Dec 8, 2015
Closed
@srowen
Copy link
Member Author

srowen commented Dec 8, 2015

See #10198

asfgit pushed a commit that referenced this pull request Dec 8, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
c8f9eb7 
Fix commons-collection group ID to commons-collections for version 3.x

Patches earlier PR at #9731

Author: Sean Owen <[email protected]>

Closes #10198 from srowen/SPARK-11652.2.

(cherry picked from commit e3735ce)
Signed-off-by: Sean Owen <[email protected]>
asfgit pushed a commit that referenced this pull request Dec 8, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
4b99f72 
Fix commons-collection group ID to commons-collections for version 3.x

Patches earlier PR at #9731

Author: Sean Owen <[email protected]>

Closes #10198 from srowen/SPARK-11652.2.

(cherry picked from commit e3735ce)
Signed-off-by: Sean Owen <[email protected]>
asfgit pushed a commit that referenced this pull request Dec 8, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
c7c9985 
Fix commons-collection group ID to commons-collections for version 3.x

Patches earlier PR at #9731

Author: Sean Owen <[email protected]>

Closes #10198 from srowen/SPARK-11652.2.

(cherry picked from commit e3735ce)
Signed-off-by: Sean Owen <[email protected]>
asfgit pushed a commit that referenced this pull request Dec 8, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
e3735ce 
Fix commons-collection group ID to commons-collections for version 3.x

Patches earlier PR at #9731

Author: Sean Owen <[email protected]>

Closes #10198 from srowen/SPARK-11652.2.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@srowen @SparkQA @XuTingjun