-
Notifications
You must be signed in to change notification settings - Fork 28.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SPARK-40801][BUILD][3.2] Upgrade Apache commons-text
to 1.10
#38352
Conversation
Can one of the admins verify this patch? |
This is probably fine; a bigger upgrade from 1.6 but I don't have reason to believe it's a problem in 3.2 and test pass |
Hm, the test seems to be stuck |
@srowen I did rerun the failed tests now and now they pass. But there are 2 python tests that don't pass, |
Huh, that also seems unrelated. Let's hold onto this for a day or two and then rerun if needed |
cc @sunchao since he is the release manager of Apache Spark 3.2.3. |
@srowen two days have passed. |
The test still shows 'pending', hm. It sounds like you saw some possibly-unrelated tests failing. Ideally we'd see the tests pass first. Can you re-set or re-run the tests? |
ok, I re-run the tests now. |
@xinrong-meng There are two tests that don't work for branch 3.2 |
Could you make the same patch for 3.1 branch? |
No, Apache Spark 3.1 reached EOL last month because the first release was March 2, 2021, @vitas . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good when the test pass
Is Spark actually affected by the problem in the |
The latter. |
Hm, maybe we can try the tests 1 more time. I'm inclined to merge for the 3.2 RC as I think the test failures are unrelated. |
@srowen Will you merge this? |
Well, I don't know if it passes - it probably does, but other errors are preventing it. I also don't know if this even affects Spark. If any other committer would endorse the 'override' I'd merge. |
Yes, there are 2 python tests that fail, but the tests for java are running and those are OK. |
We have been waiting for the release manager's approval, @bjornjorgensen , because the release preparation was already started. So, it would be great that @sunchao reviews and merges this as a part of 3.2.3 release preparation. |
I'm actually holding 3.2.3 for this PR. Once it's merged I'll start the release process. |
### What changes were proposed in this pull request? Upgrade Apache commons-text from 1.6 to 1.10.0 ### Why are the changes needed? [CVE-2022-42889](https://nvd.nist.gov/vuln/detail/CVE-2022-42889) this is a [9.8 CRITICAL](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-42889&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST) ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA Closes #38352 from bjornjorgensen/patch-2. Lead-authored-by: Bjørn Jørgensen <bjornjorgensen@gmail.com> Co-authored-by: Bjørn <bjornjorgensen@gmail.com> Signed-off-by: Sean Owen <srowen@gmail.com>
OK, merged to 3.2 |
Thanks everyone :) |
@sunchao thank you for you efforts. When can we expect the release of 3.2.3? |
I'm going to start working on it this week. |
Apologies if this is discussed elsewhere (or an FAQ that I wasn't able to find), but is there somewhere I can subscribe to this release and get notified when it's ready to pick up? Thanks! |
@fryz It will be posted at dev@spark.apache.org and user@spark.apache.org |
@sunchao @bjornjorgensen any update on this release? |
@bsikander again, pls check dev@spark.apache.org - it's being voted. |
+1 for @sunchao 's comment. |
I'm curious what the urgency is @bsikander - do you have a theory that this even affects Spark? this is a 'just in case' and 'to silence automated warnings' kind of update as far as I can see |
@srowen i also don't see any affect on Spark. My goal is to silence the warnings as soon as possible. That is why i am waiting for the release :) |
@bjornjorgensen I noticed that you updated |
### What changes were proposed in this pull request? Upgrade Apache commons-text from 1.6 to 1.10.0 ### Why are the changes needed? [CVE-2022-42889](https://nvd.nist.gov/vuln/detail/CVE-2022-42889) this is a [9.8 CRITICAL](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-42889&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST) ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA Closes apache#38352 from bjornjorgensen/patch-2. Lead-authored-by: Bjørn Jørgensen <bjornjorgensen@gmail.com> Co-authored-by: Bjørn <bjornjorgensen@gmail.com> Signed-off-by: Sean Owen <srowen@gmail.com>
What changes were proposed in this pull request?
Upgrade Apache commons-text from 1.6 to 1.10.0
Why are the changes needed?
CVE-2022-42889
this is a 9.8 CRITICAL
Does this PR introduce any user-facing change?
No.
How was this patch tested?
Pass GA