Skip to content

[SPARK-11652] [CORE] Remote code execution with InvokerTransformer#9731

Closed
srowen wants to merge 1 commit into
apache:masterfrom
srowen:SPARK-11652
Closed

[SPARK-11652] [CORE] Remote code execution with InvokerTransformer#9731
srowen wants to merge 1 commit into
apache:masterfrom
srowen:SPARK-11652

Conversation

@srowen
Copy link
Copy Markdown
Member

@srowen srowen commented Nov 16, 2015

Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability

@SparkQA
Copy link
Copy Markdown

SparkQA commented Nov 16, 2015

Test build #45991 has finished for PR 9731 at commit 0828753.

  • This patch fails Spark unit tests.
  • This patch merges cleanly.
  • This patch adds the following public classes (experimental):\n * case class JSONOptions(\n

@SparkQA
Copy link
Copy Markdown

SparkQA commented Nov 16, 2015

Test build #2064 has finished for PR 9731 at commit 0828753.

  • This patch passes all tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

@srowen
Copy link
Copy Markdown
Member Author

srowen commented Nov 17, 2015

I'm going to go ahead and merge this, as it's a bug fix update anyway, passes, and should make sure there's no exploit of this form. We may not be alone in getting some alarmed customer questions about this, even though I suspect there is no actual exploit in Spark.

asfgit pushed a commit that referenced this pull request Nov 18, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
34ded83 
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability

Author: Sean Owen <sowen@cloudera.com>

Closes #9731 from srowen/SPARK-11652.

(cherry picked from commit 9631ca3)
Signed-off-by: Sean Owen <sowen@cloudera.com>
@asfgit asfgit closed this in 9631ca3 Nov 18, 2015
asfgit pushed a commit that referenced this pull request Nov 18, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
0ed6d9c 
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability

Author: Sean Owen <sowen@cloudera.com>

Closes #9731 from srowen/SPARK-11652.

(cherry picked from commit 9631ca3)
Signed-off-by: Sean Owen <sowen@cloudera.com>
asfgit pushed a commit that referenced this pull request Nov 18, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
073c89f 
Update to Commons Collections 3.2.2 to avoid any potential remote code execution vulnerability

Author: Sean Owen <sowen@cloudera.com>

Closes #9731 from srowen/SPARK-11652.

(cherry picked from commit 9631ca3)
Signed-off-by: Sean Owen <sowen@cloudera.com>
@srowen
Copy link
Copy Markdown
Member Author

srowen commented Nov 18, 2015

Merged to master/1.6/1.5/1.4

@srowen srowen deleted the SPARK-11652 branch November 18, 2015 10:55
@XuTingjun
Copy link
Copy Markdown
Contributor

XuTingjun commented Dec 8, 2015

@srowen I can't find this jar file, can you give me a download url?

@XuTingjun
Copy link
Copy Markdown
Contributor

XuTingjun commented Dec 8, 2015

@srowen I only find below commons-collection file:

<groupId>commons-collections</groupId>
  <artifactId>commons-collections</artifactId>
  <version>3.2.2</version>

@srowen
Copy link
Copy Markdown
Member Author

srowen commented Dec 8, 2015

@XuTingjun commons-collections? just search Maven Central
http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22commons-collections%22%20AND%20a%3A%22commons-collections%22

@XuTingjun
Copy link
Copy Markdown
Contributor

XuTingjun commented Dec 8, 2015

I think the groupId should be "commons-collections", not "org.apache.commons", right?

@srowen
Copy link
Copy Markdown
Member Author

srowen commented Dec 8, 2015

Oh dang it, yes the group is only org.apache.commons in version 4. Right now this does nothing. PR coming ...

@XuTingjun
Copy link
Copy Markdown
Contributor

XuTingjun commented Dec 8, 2015

ok, please fix it as soon as possible, thanks.

@srowen srowen mentioned this pull request Dec 8, 2015
Closed
@srowen
Copy link
Copy Markdown
Member Author

srowen commented Dec 8, 2015

See #10198

asfgit pushed a commit that referenced this pull request Dec 8, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
c8f9eb7 
Fix commons-collection group ID to commons-collections for version 3.x

Patches earlier PR at #9731

Author: Sean Owen <sowen@cloudera.com>

Closes #10198 from srowen/SPARK-11652.2.

(cherry picked from commit e3735ce)
Signed-off-by: Sean Owen <sowen@cloudera.com>
asfgit pushed a commit that referenced this pull request Dec 8, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
4b99f72 
Fix commons-collection group ID to commons-collections for version 3.x

Patches earlier PR at #9731

Author: Sean Owen <sowen@cloudera.com>

Closes #10198 from srowen/SPARK-11652.2.

(cherry picked from commit e3735ce)
Signed-off-by: Sean Owen <sowen@cloudera.com>
asfgit pushed a commit that referenced this pull request Dec 8, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
c7c9985 
Fix commons-collection group ID to commons-collections for version 3.x

Patches earlier PR at #9731

Author: Sean Owen <sowen@cloudera.com>

Closes #10198 from srowen/SPARK-11652.2.

(cherry picked from commit e3735ce)
Signed-off-by: Sean Owen <sowen@cloudera.com>
asfgit pushed a commit that referenced this pull request Dec 8, 2015
@srowen
[SPARK-11652][CORE] Remote code execution with InvokerTransformer
e3735ce 
Fix commons-collection group ID to commons-collections for version 3.x

Patches earlier PR at #9731

Author: Sean Owen <sowen@cloudera.com>

Closes #10198 from srowen/SPARK-11652.2.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@srowen @SparkQA @XuTingjun