Re: [VOTE] Release Apache Superset 4.0.1 based on Superset 4.0.1rc1

+1 (binding) Daniel Gaspar On 2024/05/02 15:04:46 "Michael S. Molina" wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 4.0.1. > > The release candidate: > https://dist.apache.org/repos/dist/dev/superse

Re: [VOTE] Release Apache Superset 3.1.3 based on Superset 3.1.3rc1

+1 (binding) Daniel Gaspar On 2024/05/02 14:14:50 "Michael S. Molina" wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 3.1.3. > > The release candidate: > https://dist.apache.org/repos/dist/dev/sup

Re: [VOTE] Release Apache Superset 3.1.1 based on Superset 3.1.1rc1

+1 (binding) On Wed, 14 Feb 2024 at 16:48, Michael S. Molina wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 3.1.1. > > The release candidate: > https://dist.apache.org/repos/dist/dev/superset/3.1.1rc1/ > > Git tag for the release: >

Re: [VOTE] Release Apache Superset 3.0.4 based on Superset 3.0.4rc1

+1 (binding) On Wed, 14 Feb 2024 at 15:42, Michael S. Molina wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 3.0.4. > > The release candidate: > https://dist.apache.org/repos/dist/dev/superset/3.0.4rc1/ > > Git tag for the release: >

Re: [VOTE] Release Apache Superset 2.1.3 based on Superset 2.1.3rc1

+1 (binding) Daniel Gaspar / Superset PMC On Sat, 9 Dec 2023 at 01:49, Elizabeth Thompson wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 2.1.3. > > The release candidate: > https://dist.apache.org/repos/dist/dev/superset

Re: [VOTE] Release Apache Superset 3.0.2 based on Superset 3.0.2rc2

+1 (binding) On Mon, 20 Nov 2023 at 20:42, Michael S. Molina wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 3.0.2. > > The release candidate: > https://dist.apache.org/repos/dist/dev/superset/3.0.2rc2/ > > Git tag for the release: >

Re: [VOTE] [SIP-107] Proposal for Telemetry Pixel in Apache Superset

+1 (binding) On Tue, 17 Oct 2023 at 23:08, Evan Rusackas wrote: > Having launched the Discuss thread a few days back [1], and not getting > any questions or comments, I’m proceeding under the assumption that the > addition of a telemetry pixel is not too controversial, so I’ll go ahead > and

Re: [VOTE] Release Apache Superset 3.0.0 based on Superset 3.0.0rc4

+1 (binding) Checked changelog and git log for all necessary fixes On Thu, 14 Sept 2023 at 23:24, Beto Dealmeida wrote: > +1 binding! > > [x] Download links are valid > [x] GPG and checksum (SHA512) are valid > [x] Includes ASF license file (LICENSE.txt) and NOTICE file > [x] No unexpected

CVE-2023-27526: Apache Superset: Improper Authorization check on import charts

Affected versions: - Apache Superset through 2.1.0 Description: A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. Credit: NTT DATA (finder) References: https://superset.apache.org

CVE-2023-27523: Apache Superset: Improper data permission validation on Jinja templated queries

Affected versions: - Apache Superset through 2.1.0 Description: Improper data authorization check on Jinja templated queries in Apache Superset  up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to. Credit: Jingjing Hu

Re: [VOTE] Release Apache Superset 2.1.1 based on Superset 2.1.1rc3

+1 (binding) Cheers, Daniel Gaspar / Superset PMC On Fri, 18 Aug 2023 at 01:49, Elizabeth Thompson wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 2.1.1. > > The release candidate: > https://dist.apache.org/repos/dist/dev

Re: [VOTE] Release Apache Superset 2.1.1 based on Superset 2.1.1rc2

+1 (binding) Cheers, Daniel Gaspar / Superset PMC On Mon, 24 Jul 2023 at 22:43, Elizabeth Thompson wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 2.1.1. > > The release candidate: > https://dist.apache.org/repos/dist/dev

Re: [VOTE] Release Apache Superset 2.1.1 based on Superset 2.1.1rc1

fixes that pertain to my issues > work great (like the PivotTable v2 width correction)! > > Sam > > > > On Thu, Jun 22, 2023, at 5:35 AM, Daniel Gaspar wrote: > > +1 (binding) > > > > Daniel Gaspar / Superset PMC > > > > > > On Fri, 16

Re: [VOTE] Release Apache Superset 2.1.1 based on Superset 2.1.1rc1

+1 (binding) Daniel Gaspar / Superset PMC On Fri, 16 Jun 2023 at 20:53, Elizabeth Thompson wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 2.1.1. > > The release candidate: > https://dist.apache.org/repos/dist/dev

CVE-2023-30776: Apache Superset: Database connection password leak

Description: An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0.1. References: https://superset.apache.org

CVE-2023-27524: Apache Superset: Session validation vulnerability when using provided default SECRET_KEY

Description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not

CVE-2023-27525: Apache Superset: Incorrect default permissions for Gamma role

Description: An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1 Credit: NTT DATA (finder) References: https://superset.apache.org https://www.cve.org/CVERecord?id=CVE-2023-27525

CVE-2023-25504: Apache Superset: Possible SSRF on import datasets

Description: A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This

CVE-2022-41703: Apache Superset: SQL injection vulnerability in adhoc clauses

Severity: critical Description: A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access

CVE-2022-45438: Apache Superset: Dashboard metadata information leak

Description: When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version

CVE-2022-43721: Apache Superset: Open Redirect Vulnerability

Severity: moderate Description: An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and

CVE-2022-43720: Apache Superset: Improper rendering of user input

Severity: low Description: An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset

CVE-2022-43719: Apache Superset: Cross Site Request Forgery (CSRF) on accept, request access API

Severity: moderate Description: Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. Credit: Positive Technologies (finder) References:

CVE-2022-43718: Apache Superset: Cross-Site Scripting vulnerability on upload forms

Description: Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. Credit:

CVE-2022-43717: Apache Superset: Cross-Site Scripting on dashboards

Description: Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and

Re: [VOTE] Release Apache Superset 2.0.1 based on Superset 2.0.1rc6

+1 (binding) Daniel Gaspar / Superset PMC On 2022/12/16 01:48:07 Elizabeth Thompson wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 2.0.1. > > The release candidate: > https://dist.apache.org/repos/dist/dev/superset/2.0.

Re: [VOTE] Release Apache Superset 2.0.1 based on Superset 2.0.1rc5

+1 (binding) - Check changelog, and package version - Accessed charts and dashboards (ephemeral env) - Created a new chart (ephemeral env) On Fri, 9 Dec 2022 at 23:53, Tai Dupree wrote: > Looks like it's there now, likely just took a while to build. > > >

Re: [VOTE] Release Apache Superset 2.0.1 based on Superset 2.0.1rc3

Hi, The following PR https://github.com/apache/superset/pull/21895 seems to be missing, is it possible to include? nit: #21811 PR seems to have a duplicate entry on the changelog. Thank you, Daniel Gaspar / Superset PMC On Mon, 21 Nov 2022 at 17:00, Arash Afghahi wrote: > Hello Super

Re: [VOTE] Release Apache Superset 1.5.2 based on Superset 1.5.2rc1

-1 (binding) We have found one more fix that should be included on this release. Thank you so much Michael for all the great work you've done on the releases. Regards, Daniel Gaspar / Superset PMC On Wed, 31 Aug 2022 at 18:50, Michael S. Molina wrote: > Hello Superset Commun

Re: [VOTE] Release Apache Superset 2.0.0 based on Superset 2.0.0rc2

+1 (binding) On Wed, 6 Jul 2022 at 18:24, Michael S. Molina wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 2.0.0. > > The release candidate: > https://dist.apache.org/repos/dist/dev/superset/2.0.0rc2/ < >

CVE-2021-37839: Apache Superset: Improper access to dataset metadata information

Description: Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics. Mitigation: Upgrade to 1.5.1 or higher Credit: Apache Superset would like to

Re: [VOTE] Release Apache Superset 1.5.1 based on Superset 1.5.1rc1

+1 (binding) On Fri, 27 May 2022 at 16:40, Michael S. Molina wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 1.5.1. > > New cherries since 1.5.0: > - #19685 fix: login button does not render (@villebro) > - #20181 fix(temporary-cache): when

Re: [VOTE][SIP-74] Breaking Changes to include in Superset 2.0

+1 binding On 2022/02/14 23:34:26 Aaron Suddjian wrote: > Hi all, > > I'd like to call for a vote on SIP-74, Superset 2.0 Breaking Changes: > https://github.com/apache/superset/issues/17081 > > The vote will be open for at least 1 week or until the necessary number of > votes are reached. > >

Re: [VOTE][SIP-79] Guidelines for Superset PMC Membership

+1 (binding) On Wed, 26 Jan 2022 at 17:01, Evan Rusackas wrote: > Hello everyone, > > Thank you for all the prior discussion on the proposal. Some adjustments > and clarifications have been made accordingly. I’d like to hereby call for > a vote on SIP-79, Guidelines for Superset PMC membership.

CVE-2021-44451: Apache Superset: API sensitive information leak

Description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Mitigation: Upgrade to Apache Superset 1.4.0 or higher. Credit: Found and reported by Cesar

CVE-2021-42250: Apache Superset: Possible log injection

Description: Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs. Mitigation: Upgrade to Apache Superset 1.3.2 or higher Credit: Found and reported by Duxiaoman

Re: [VOTE][SIP-68] A better model for Datasets

+1 binding On 2021/11/03 22:47:27 Beto Dealmeida wrote: > Hi Superset community, > > This is a call to vote for [SIP-68] A better model for Datasets > . > > The vote will be open for at least 1 week or until the necessary number > of votes are

CVE-2021-41972: Apache Superset: Credentials leak

Description: Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Mitigation: Upgrade to Apache Superset 1.3.2 or higher Credit: Apache Superset team would like to thank Ke

CVE-2021-32609: Apache Superset: XSS vulnerability on Explore page

Description: Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (including scripts) into the page. Credit: Apache Superset team would like to thank

Re: [VOTE] Release Apache Superset 1.3.2 based on Superset 1.3.2rc1

+1 binding Checked: - Version - Change log - Tested locally and made a bunch of simple tests On 2021/10/11 12:47:27, Ville Brofeldt wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 1.3.2. > This release candidate includes the following

Re: [VOTE] Release Apache Superset 1.3.1 based on Superset 1.3.1rc2

+1 On 2021/09/22 12:27:24, Ville Brofeldt wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 1.3.1. New > cherries since 1.3.1rc1: > > - [#16711] feat(jinja): improve url parameter formatting (@villebro) > - [#14955] feat: show build number

Re: [VOTE] Release Apache Superset 1.3.1 based on Superset 1.3.1rc1

+1 binding On 2021/09/06 12:33:56, Ville Brofeldt wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 1.3.1. > This release candidate includes the following cherries on top of 1.3.0: > > Features: > - #16594 feat: Experimental cross-filter

CVE-2021-28125: Apache Superset Open Redirect

Description: Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the

Re: [VOTE][SIP-24]: Proposal to introduce Flask app factory pattern

+1 binding On 2021/04/22 02:14:15, Craig Rueda wrote: > Hello Superset Community, > > This is another *very belated* call to vote for a SIP -- SIP-24 - Proposal > to introduce Flask app factory pattern: > https://github.com/apache/superset/issues/8318 > > Note that there was already a DISCUSS

CVE-2021-27907: Apache Superset stored XSS on Dashboard markdown

Description: Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's

Re: [VOTE] Release Apache Superset (incubating) 0.38.1 based on Superset 0.38.1rc1

+1 (binding) On 2021/02/25 07:07:21, Ville Brofeldt wrote: > Hello Superset Community, > > It’s come to our attention that a feature flag relating to the markdown > dashboard component wasn’t included in the 0.38.0 release as was intended. > This patch is a backport of the PR (included in 1.0)

Re: [VOTE] Release Apache Superset 1.0.1 based on Superset 1.0.1rc2

+1 On 2021/02/02 19:12:37, Ville Brofeldt wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 1.0.1. The > second release candidate includes the following cherries on top of the ones > featured in rc1: > - feat(release): add github token to

Re: [VOTE] Release Apache Superset 1.0.0 based on Superset 1.0.0rc4

+1 (binding) On 2021/01/16 07:28:03, Ville Brofeldt wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset version 1.0.0. > All reported critical bugs in 1.0.0rc3 have been addressed. > The full list of PRs added since 1.0.0rc3 are as follows: > - Fix 500

Re: [DISCUSS] Enable GitHub Discussions?

+1 On 2020/12/13 06:31:39, Jesse Yang wrote: > Dear Superset community, > > During the last Superset meetup, we had a discussion on GitHub Discussions >

[ANNOUNCE] Apache Superset version 0.38.0 Released

Hello Community, The Apache Superset team is pleased to announce that Superset 0.38.0 has just been released. Apache Superset is a modern, enterprise-ready business intelligence web application The official source release: https://www.apache.org/dist/incubator/superset/0.38.0 The Pypi

[RESULT] [VOTE] Release Apache Superset (incubating) 0.38.0 based on Superset 0.38.0rc4

Thanks to everyone that participated. The vote to release Apache Superset (incubating) version 0.38.0 based on 0.38.0rc4 is now closed. The vote PASSED with 7 binding +1, 1 non binding +1 and 0 -1 votes: Binding votes: - Maxime Beauchemin - Bogdan Kyryliuk - Aaron Suddjian - Ville Brofeldt -

[VOTE] Release Apache Superset (incubating) 0.38.0 based on Superset 0.38.0rc4

Hello Superset Community, This is a call for the vote to release Apache Superset (incubating) version 0.38.0. RC3 was cancelled due to licensing issues for two fonts, related thread:

[RESULT] [VOTE] Release Apache Superset (incubating) 0.38.0 based on Superset 0.38.0rc3

Thanks to everyone that participated. The vote to release Apache Superset (incubating) version 0.38.0 based on 0.38.0rc3 is now closed. The vote PASSED with 7 binding +1, 0 non binding +1 and 0 -1 votes: Binding votes: - Craig Rueda - John Bodley - William Barret - Maxime Beauchemin - Jim

[VOTE] Release Apache Superset (incubating) 0.38.0 based on Superset 0.38.0rc3

Hello Superset Community, This is a call for the vote to release Apache Superset (incubating) version 0.38.0. The release candidate: https://dist.apache.org/repos/dist/dev/incubator/superset/0.38.0rc3/ Git tag for the release: https://github.com/apache/incubator-superset/tree/0.38.0rc3 The

[VOTE] Release Apache Superset (incubating) 0.38.0 based on Superset 0.38.0rc2

Hello Superset Community, This is a call for the vote to release Apache Superset (incubating) version 0.38.0. The release candidate: https://dist.apache.org/repos/dist/dev/incubator/superset/0.38.0rc2/ Git tag for the release: https://github.com/apache/incubator-superset/tree/0.38.0rc2 The

[RESULT] [VOTE] Release Apache Superset (incubating) 0.38.0 based on Superset 0.38.0rc1

Thanks to everyone that participated. The vote to release Apache Superset (incubating) version 0.38.0 based on 0.38.0rc1 is now closed. The vote did NOT PASS with 4 binding +1, 1 non binding +1 and 1 -1 votes: Binding votes: - Will Barret - Maxime Beauchemin - Tai Dupree - Craig Rueda Non

[VOTE] Release Apache Superset (incubating) 0.38.0 based on Superset 0.38.0rc1

Hello Superset Community, This is a call for the vote to release Apache Superset (incubating) version 0.38.0. The release candidate: https://dist.apache.org/repos/dist/dev/incubator/superset/0.38.0rc1/ Git tag for the release: https://github.com/apache/incubator-superset/tree/0.38.0rc1 The

Re: [VOTE] graduate Apache Superset from the Apache Incubator

+1 (binding) On 2020/09/16 00:46:04, Maxime Beauchemin wrote: > Hi all! > > Over the past few months/years, the Apache Superset community has met all > the requirements to graduate from the Apache Incubator. Given that, I > believe we are ready for graduation and I'm excited to kick off the

Re: Subject: [VOTE] Release Apache Superset (incubating) 0.37.1 based on Superset 0.37.1rc1

+1 (binding) On 2020/09/06 11:38:40, Ville Brofeldt wrote: > Hello Superset Community, > > This is a call for the vote to release Apache Superset > (incubating) version 0.37.1. This is a bugfix release to address a shortcoming > in the jinja2 functionality of superset. The majority of

Re: [VOTE] Release Apache Superset (incubating) 0.37.0 based on Superset 0.37.0rc4

+1 (binding) On 2020/08/01 16:53:35, Ville Brofeldt wrote: > Hello Superset Community, > > With no new regressions or critical bugs having been brought to our attention > in the 0.37 > branch during the last week, this is a call for the vote to release Apache > Superset > (incubating)