[spark-website] branch asf-site updated: Update for CVE-2023-32007

Tue, 02 May 2023 06:57:58 -0700 

This is an automated email from the ASF dual-hosted git repository.

srowen pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/spark-website.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 54ff7efc3b Update for CVE-2023-32007
54ff7efc3b is described below

commit 54ff7efc3bc512a57abc99325896bcaeb674d9b4
Author: Sean Owen <[email protected]>
AuthorDate: Tue May 2 08:57:30 2023 -0500

    Update for CVE-2023-32007
---
 security.md        | 7 ++++++-
 site/security.html | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/security.md b/security.md
index 805e400fa4..182b1e8ef7 100644
--- a/security.md
+++ b/security.md
@@ -18,6 +18,11 @@ non-public list that will reach the Apache Security team, as 
well as the Spark P
 
 <h2>Known security issues</h2>
 
+<h3 id="CVE-2023-32007">CVE-2023-32007: Apache Spark shell command injection 
vulnerability via Spark UI</h3>
+
+This CVE is only an update to [CVE-2022-33891](#CVE-2022-33891) to clarify 
that version 3.1.3 is also
+affected. It is otherwise not a new vulnerability. Note that Apache Spark 
3.1.x is EOL now.
+
 <h3 id="CVE-2023-22946">CVE-2023-22946: Apache Spark proxy-user privilege 
escalation from malicious configuration class</h3>
 
 Severity: Medium
@@ -81,7 +86,7 @@ Vendor: The Apache Software Foundation
 
 Versions Affected:
 
-- 3.1.3 and earlier
+- 3.1.3 and earlier (previously, this was marked as fixed in 3.1.3; this 
change is tracked as [CVE-2023-32007](#CVE-2023-32007))
 - 3.2.0 to 3.2.1
 
 Description:
diff --git a/site/security.html b/site/security.html
index 57b3def5b5..959e474d80 100644
--- a/site/security.html
+++ b/site/security.html
@@ -133,6 +133,11 @@ non-public list that will reach the Apache Security team, 
as well as the Spark P
 
 <h2>Known security issues</h2>
 
+<h3 id="CVE-2023-32007">CVE-2023-32007: Apache Spark shell command injection 
vulnerability via Spark UI</h3>
+
+<p>This CVE is only an update to <a href="#CVE-2022-33891">CVE-2022-33891</a> 
to clarify that version 3.1.3 is also
+affected. It is otherwise not a new vulnerability. Note that Apache Spark 
3.1.x is EOL now.</p>
+
 <h3 id="CVE-2023-22946">CVE-2023-22946: Apache Spark proxy-user privilege 
escalation from malicious configuration class</h3>
 
 <p>Severity: Medium</p>
@@ -207,7 +212,7 @@ the logs which would be returned in logs rendered in the 
UI.</p>
 <p>Versions Affected:</p>
 
 <ul>
-  <li>3.1.3 and earlier</li>
+  <li>3.1.3 and earlier (previously, this was marked as fixed in 3.1.3; this 
change is tracked as <a href="#CVE-2023-32007">CVE-2023-32007</a>)</li>
   <li>3.2.0 to 3.2.1</li>
 </ul>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to