Hello Kamal et al, Thank you for your message! In the future, please don't use secur...@spark.apache.org for reports such as this one: if there is an advisory for a dependency, more often than not, the dependency is not used in a way that is impacted by the advisory. As such we don't consider reports such as the one you attached as sensitive. You can read more about this at https://security.apache.org/report-dependency/ .
I see you also sent your message to the public dev@spark.apache.org mailinglist. Indeed discussing how to deal with dependency updates would be on-topic for that list. That said, we do expect a collaborative attitude: as a leading bank, if these issues are important to you, it would be great if you can allocate some engineering time to participate productively in this project. Unfortunately it seems like your email didn't arrive on the dev@spark.apache.org list. I suspect it may have been rejected because of the attachment. Kind regards, Arnout Engelen On Mon, Nov 11, 2024 at 10:47 AM Kamal R (Consumer Bank, KMBL) via security <secur...@apache.org> wrote: > Hi Apache Team, > > > > If you could please respond to our query or point us to right point of > contact, that will be quite helpful. > > > > Regards, > > Kamal > > > > *From: *Sidhartha Topcharla (Consumer Bank, KMBL) < > sidhartha.topcha...@kotak.com> > *Date: *Friday, 8 November 2024 at 11:22 AM > *To: *secur...@spark.apache.org <secur...@spark.apache.org>, Jayraj > Chopda (Corporate, KMBL) <jayraj.cho...@kotak.com> > *Cc: *dev@spark.apache.org <dev@spark.apache.org>, Kamal R (Consumer > Bank, KMBL) <kamal.rat...@kotak.com> > *Subject: *Re: Vulnerabilities found on pyspark > > @Jayraj Chopda (Corporate, KMBL) <jayraj.cho...@kotak.com> > > > > *From: *Sidhartha Topcharla (Consumer Bank, KMBL) < > sidhartha.topcha...@kotak.com> > *Date: *Wednesday, 6 November 2024 at 1:04 PM > *To: *secur...@spark.apache.org <secur...@spark.apache.org> > *Cc: *dev@spark.apache.org <dev@spark.apache.org>, Kamal R (Consumer > Bank, KMBL) <kamal.rat...@kotak.com> > *Subject: *Vulnerabilities found on pyspark > > Hello Folks, > > I am Sidhartha Topcharla, working with Kotak Mahindra Bank. We are a > leading private bank in India, with a customer base of around 300M. > > We are using pyspark: "^3.5.2" on our production environment. Our > vulnerability scanner has identified below issues within spark jars. Being > a highly regulated entity, handling this issues is very critical for us. > > > > It would great if you can let us know if this issues are already > identified and fixed. > > > > Looking forward to your reply. > > > > Thank and Regards, > > Sidhartha T > > > > > > > DISCLAIMER: > This communication is confidential and privileged and is directed to and > for the use of the addressee only. The recipient if not the addressee > should not use this message if erroneously received, and access and use of > this e-mail in any manner by anyone other than the addressee is > unauthorized. If you are not the intended recipient, please notify the > sender by return email and immediately destroy all copies of this message > and any attachments and delete it from your computer system permanently. > The recipient acknowledges that Kotak Mahindra Bank Limited may be unable > to exercise control or ensure or guarantee the integrity of the text of the > email message and the text is not warranted as to completeness and > accuracy. Before opening and accessing the attachment, if any, please check > and scan for virus. > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
