[SPARK Dependencies] Security Vulnerability with Xerces version < 2.12

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[SPARK Dependencies] Security Vulnerability with Xerces version < 2.12

Anthony Poncet
Hello,

Xerces, used as xercesImpl-2.9.1.jar in spark-2.4.5-bin-hadoop2.7.tgz, contain a security vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2018-2799). As this vulnerability is fixed starting Xerces 2.12, does someone know if there is any plan to move to this newer version?

In case I reached the wrong mailing list, does someone know to which one I could sent such question? 

Regards,
Anthony Poncet