This is an automated email from the ASF dual-hosted git repository.
irashid pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/spark-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 6e85b26 CVE-2019-10099
6e85b26 is described below
commit 6e85b26065809c56a9d317980388032f62a381e8
Author: Imran Rashid <iras...@cloudera.com>
AuthorDate: Tue Aug 6 10:14:36 2019 -0500
CVE-2019-10099
ran jekyll build / serve locally.
Also updated a random formatting issue on the release process page --
(fixed just by running jekyll build).
Author: Imran Rashid <iras...@cloudera.com>
Closes #209 from squito/CVE-2019-10099.
---
security.md | 24 ++++++++++++++++++++++++
site/release-process.html | 12 +++++++-----
site/security.html | 28 ++++++++++++++++++++++++++++
3 files changed, 59 insertions(+), 5 deletions(-)
diff --git a/security.md b/security.md
index 340622b..7e062b8 100644
--- a/security.md
+++ b/security.md
@@ -18,6 +18,30 @@ non-public list that will reach the Apache Security team, as
well as the Spark P
<h2>Known Security Issues</h2>
+<h3 id="CVE-2019-10099">CVE-2019-10099: Apache Spark unencrypted data on local
disk</h3>
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions affected:
+- All Spark 1.x, Spark 2.0.x, Spark 2.1.x, and 2.2.x versions
+- Spark 2.3.0 to 2.3.2
+
+Description:
+
+Prior to Spark 2.3.3, in certain situations Spark would write user data to
local disk unencrypted, even if `spark.io.encryption.enabled=true`. This
includes cached blocks that are fetched to disk (controlled by
`spark.maxRemoteBlockSizeFetchToMem`); in SparkR, using parallelize; in
Pyspark, using broadcast and parallelize; and use of python udfs.
+
+
+Mitigation:
+
+- 1.x, 2.0.x, 2.1.x, 2.2.x, 2.3.x users should upgrade to 2.3.3 or newer,
including 2.4.x
+
+Credit:
+
+- This issue was reported by Thomas Graves of NVIDIA.
+
+
<h3 id="CVE-2018-11760">CVE-2018-11760: Apache Spark local privilege
escalation vulnerability</h3>
Severity: Important
diff --git a/site/release-process.html b/site/release-process.html
index 2c5bb41..2e8e82e 100644
--- a/site/release-process.html
+++ b/site/release-process.html
@@ -299,11 +299,13 @@ changes or in the release news on the website later.</p>
<p>Also check that all build and test passes are green from the RISELab
Jenkins: https://amplab.cs.berkeley.edu/jenkins/ particularly look for Spark
Packaging, QA Compile, QA Test.
Note that not all permutations are run on PR therefore it is important to
check Jenkins runs.</p>
-<p>To cut a release candidate, there are 4 steps:
-1. Create a git tag for the release candidate.
-1. Package the release binaries & sources, and upload them to the Apache
staging SVN repo.
-1. Create the release docs, and upload them to the Apache staging SVN repo.
-1. Publish a snapshot to the Apache staging Maven repo.</p>
+<p>To cut a release candidate, there are 4 steps:</p>
+<ol>
+ <li>Create a git tag for the release candidate.</li>
+ <li>Package the release binaries & sources, and upload them to the
Apache staging SVN repo.</li>
+ <li>Create the release docs, and upload them to the Apache staging SVN
repo.</li>
+ <li>Publish a snapshot to the Apache staging Maven repo.</li>
+</ol>
<p>The process of cutting a release candidate has been automated via the
<code>dev/create-release/do-release-docker.sh</code> script.
Run this script, type information it requires, and wait until it finishes. You
can also do a single step via the <code>-s</code> option.
diff --git a/site/security.html b/site/security.html
index 9f5b5b5..4c78b81 100644
--- a/site/security.html
+++ b/site/security.html
@@ -211,6 +211,34 @@ non-public list that will reach the Apache Security team,
as well as the Spark P
<h2>Known Security Issues</h2>
+<h3 id="CVE-2019-10099">CVE-2019-10099: Apache Spark unencrypted data on local
disk</h3>
+
+<p>Severity: Important</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions affected:</p>
+<ul>
+ <li>All Spark 1.x, Spark 2.0.x, Spark 2.1.x, and 2.2.x versions</li>
+ <li>Spark 2.3.0 to 2.3.2</li>
+</ul>
+
+<p>Description:</p>
+
+<p>Prior to Spark 2.3.3, in certain situations Spark would write user data to
local disk unencrypted, even if <code>spark.io.encryption.enabled=true</code>.
This includes cached blocks that are fetched to disk (controlled by
<code>spark.maxRemoteBlockSizeFetchToMem</code>); in SparkR, using parallelize;
in Pyspark, using broadcast and parallelize; and use of python udfs.</p>
+
+<p>Mitigation:</p>
+
+<ul>
+ <li>1.x, 2.0.x, 2.1.x, 2.2.x, 2.3.x users should upgrade to 2.3.3 or newer,
including 2.4.x</li>
+</ul>
+
+<p>Credit:</p>
+
+<ul>
+ <li>This issue was reported by Thomas Graves of NVIDIA.</li>
+</ul>
+
<h3 id="CVE-2018-11760">CVE-2018-11760: Apache Spark local privilege
escalation vulnerability</h3>
<p>Severity: Important</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org
