From 04a2c072d94874f3f7ae9dd94c026e8826a75ccd Mon Sep 17 00:00:00 2001 From: Adam Roberts Date: Fri, 29 Jul 2016 04:43:01 -0700 Subject: [SPARK-16751] Upgrade derby to 10.12.1.1 ## What changes were proposed in this pull request? Version of derby upgraded based on important security info at VersionEye. Test scope added so we don't include it in our final package anyway. NB: I think this should be backported to all previous releases as it is a security problem https://www.versioneye.com/java/org.apache.derby:derby/10.11.1.1 The CVE number is 2015-1832. I also suggest we add a SECURITY tag for JIRAs ## How was this patch tested? Existing tests with the change making sure that we see no new failures. I checked derby 10.12.x and not derby 10.11.x is downloaded to our ~/.m2 folder. I then used dev/make-distribution.sh and checked the dist/jars folder for Spark 2.0: no derby jar is present. I don't know if this would also remove it from the assembly jar in our 1.x branches. Author: Adam Roberts Closes #14379 from a-roberts/patch-4. --- dev/deps/spark-deps-hadoop-2.4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'dev/deps/spark-deps-hadoop-2.4') diff --git a/dev/deps/spark-deps-hadoop-2.4 b/dev/deps/spark-deps-hadoop-2.4 index 3f53fdb09c..9baf87e532 100644 --- a/dev/deps/spark-deps-hadoop-2.4 +++ b/dev/deps/spark-deps-hadoop-2.4 @@ -48,7 +48,7 @@ curator-recipes-2.4.0.jar datanucleus-api-jdo-3.2.6.jar datanucleus-core-3.2.10.jar datanucleus-rdbms-3.2.9.jar -derby-10.11.1.1.jar +derby-10.12.1.1.jar eigenbase-properties-1.1.5.jar guava-14.0.1.jar guice-3.0.jar -- cgit v1.2.3