[
https://issues.apache.org/jira/browse/CARBONDATA-4041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17248781#comment-17248781 ]
Ajantha Bhat commented on CARBONDATA-4041:
------------------------------------------
[
https://spark.apache.org/security.html]
Based on this *CVE-2020-9480* is only problematic for standalone cluster RPC calls. can you provide more details about article mentioning dependency spark-unsafe 2.4.5 has CVE.
If unsafe jar has problem, may be explicitly we have to add dependency of 2.4.6 and exclude 2.4.5.But not sure about compatibility.
Upgrading whole spark to 3.X, we have the plan. It might take few months from now to finish integration.
> carbondata-processing's apache-spark versions and vulnerabilities
> -----------------------------------------------------------------
>
> Key: CARBONDATA-4041
> URL:
https://issues.apache.org/jira/browse/CARBONDATA-4041> Project: CarbonData
> Issue Type: Improvement
> Components: other
> Affects Versions: 2.0.1
> Reporter: openlookeng
> Priority: Blocker
>
> carbondata-processing dependency spark-unsafe 2.4.5 component, but have vulnerabilities of *CVE-2020-9480* , do team have plan to update it ?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
