Thanks for the quick reply, Sean!
Chris Nauroth
On Thu, Apr 14, 2022 at 10:15 AM Sean Owen wrote:
> It does affect 2.4.x, yes. 2.4.x was EOL a while ago, so there wouldn't be
> a new release of 2.4.x in any event. It's recommended to update instead, at
> least to 3.1.3.
>
> On Thu, Apr 14, 202
It does affect 2.4.x, yes. 2.4.x was EOL a while ago, so there wouldn't be
a new release of 2.4.x in any event. It's recommended to update instead, at
least to 3.1.3.
On Thu, Apr 14, 2022 at 12:07 PM Chris Nauroth wrote:
> A fix for CVE-2021-38296 was committed and released in Apache Spark 3.1.3
A fix for CVE-2021-38296 was committed and released in Apache Spark 3.1.3.
I'm curious, is the issue relevant to the 2.4 version line, and if so, are
there any plans for a backport?
https://lists.apache.org/thread/70x8fw2gx3g9ty7yk0f2f1dlpqml2smd
Chris Nauroth
Thanks for the clarification, Holden.
However, we maintain our own Spark version and cherry pick critical patches
from the community. It’s not clear which patch we should apply here.
Holden Karau 于2022年3月10日 周四上午7:04写道:
> CVEs are generally not mentioned in the release notes or JIRA instead we
>
CVEs are generally not mentioned in the release notes or JIRA instead we
track them at https://spark.apache.org/security.html once they are resolved
(prior to the resolution the reports goes to secur...@spark.apache.org) to
allow the project time to fix the issue before public disclosure so there
i
Hi Sean,
I don't find it in 3.1.3 release notes
https://spark.apache.org/releases/spark-release-3-1-3.html. Is it tracked
somewhere?
On Thu, Mar 10, 2022 at 6:14 AM Sean R. Owen wrote:
> Severity: moderate
>
> Description:
>
> Apache Spark supports end-to-end encryption of RPC connections via
>
Severity: moderate
Description:
Apache Spark supports end-to-end encryption of RPC connections via
"spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and
earlier, it uses a bespoke mutual authentication protocol that allows for full
encryption key recovery. After an ini
