Thanks for the clarification, Holden. However, we maintain our own Spark version and cherry pick critical patches from the community. It’s not clear which patch we should apply here.
Holden Karau <hol...@pigscanfly.ca>于2022年3月10日 周四上午7:04写道: > CVEs are generally not mentioned in the release notes or JIRA instead we > track them at https://spark.apache.org/security.html once they are > resolved (prior to the resolution the reports goes to > secur...@spark.apache.org) to allow the project time to fix the issue > before public disclosure so there is a fixed version for people to upgrade > to. > > On Wed, Mar 9, 2022 at 2:58 PM Manu Zhang <owenzhang1...@gmail.com> wrote: > >> Hi Sean, >> >> I don't find it in 3.1.3 release notes >> https://spark.apache.org/releases/spark-release-3-1-3.html. Is it >> tracked somewhere? >> >> On Thu, Mar 10, 2022 at 6:14 AM Sean R. Owen <sro...@apache.org> wrote: >> >>> Severity: moderate >>> >>> Description: >>> >>> Apache Spark supports end-to-end encryption of RPC connections via >>> "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 >>> and earlier, it uses a bespoke mutual authentication protocol that allows >>> for full encryption key recovery. After an initial interactive attack, this >>> would allow someone to decrypt plaintext traffic offline. Note that this >>> does not affect security mechanisms controlled by >>> "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", >>> "spark.ssl", "spark.ui.strictTransportSecurity". >>> >>> Mitigation: >>> >>> Update to Apache Spark 3.1.3 or later >>> >>> Credit: >>> >>> Steve Weis (Databricks) >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe e-mail: dev-unsubscr...@spark.apache.org >>> >>> > > -- > Twitter: https://twitter.com/holdenkarau > Books (Learning Spark, High Performance Spark, etc.): > https://amzn.to/2MaRAG9 <https://amzn.to/2MaRAG9> > YouTube Live Streams: https://www.youtube.com/user/holdenkarau >
