Update dependency pyspark to v3.3.2 [SECURITY]#56
Conversation
|
Hey! Changelogs info seems to be missing or might be in incorrect format. |
|
Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information |
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-pyspark-vulnerability
branch
from
97997e2 to
67f5cba
Compare
|
Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information |
This PR contains the following updates:
==3.2.0->==3.3.2GitHub Vulnerability Alerts
CVE-2022-33891
The Apache Spark UI offers the possibility to enable ACLs via the configuration option
spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.A previous version of this advisory incorrectly stated that version 3.1.3 was not vulnerable. Per GHSA-59hw-j9g6-mfg3, version 3.1.3 is vulnerable and vulnerable version ranges in this advisory have been changed to reflect the correct information.
CVE-2023-32007
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.
CVE-2022-31777
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI.
CVE-2023-22946
In Apache Spark versions prior to versions 3.4.0 and 3.3.3, applications using spark-submit can specify a
proxy-userto run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This affects architectures relying on proxy-user, for example those using Apache Livy to manage submitted applications.Update to Apache Spark 3.4.0, 3.3.3, or later, and ensure that spark.submit.proxyUser.allowCustomClasspathInClusterMode is set to its default of "false", and is not overridden by submitted applications.
Release Notes
apache/spark (pyspark)
v3.3.2Compare Source
v3.3.1Compare Source
v3.3.0Compare Source
v3.2.4Compare Source
v3.2.3Compare Source
v3.2.2Compare Source
v3.2.1Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.