RE: 3.3.1 Release

2022-10-27 Thread Pastrana, Rodrigo (RIS-BCT)
Great! Thank you! From: Dongjoon Hyun Sent: Tuesday, October 25, 2022 6:08 PM To: Pastrana, Rodrigo (RIS-BCT) Cc: dev@spark.apache.org Subject: Re: 3.3.1 Release You don't often get email from dongjoon.h...@gmail.com. Learn why this is important

CVE-2022-42889

2022-10-27 Thread Pastrana, Rodrigo (RIS-BCT)
Hello, This issue (SPARK-40801) which addresses CVE-2022-42889 doesn't seem to have been included in the latest release (3.3.1). Is there a way to estimate a timeline for the first relea

Re: CVE-2022-42889

2022-10-27 Thread Sean Owen
Probably a few months between maintenance releases. It does not appear to affect Spark, however. On Thu, Oct 27, 2022 at 9:24 AM Pastrana, Rodrigo (RIS-BCT) wrote: > Hello, > > This issue (SPARK-40801) > which addresses > CVE-2022-42889 doesn’t

RE: CVE-2022-42889

2022-10-27 Thread Pastrana, Rodrigo (RIS-BCT)
Thanks Sean, I assume Spark's not affected because it either doesn't reference the affected API(s) or because it does not unsafely utilize user input through the vulnerable API(s), but is there an official statement about this from Spark? We weren't able to find references to 2022-42889 here: ht

Re: CVE-2022-42889

2022-10-27 Thread Sean Owen
Right. It seems there is only one direct use of that part of commons-text, and it is not applied to user-supplied inputs (reads and substitutes into error message templates). At a glance I do not see how it would affect Spark; it's not impossible that it does. In any event, commons-text is being up

Re: CVE-2022-42889

2022-10-27 Thread Steve Loughran
the api doesn't get used in the hadoop libraries; not sure about other dependencies. probably makes sense to say on the jira that there's no need to panic here; I've had to start doing that as some of the security scanners appear to overreact https://issues.apache.org/jira/browse/HDFS-16766 On T

RE: CVE-2022-42889

2022-10-27 Thread Pastrana, Rodrigo (RIS-BCT)
Thanks again Sean! From: Sean Owen Sent: Thursday, October 27, 2022 11:56 AM To: Pastrana, Rodrigo (RIS-BCT) Cc: dev@spark.apache.org Subject: Re: CVE-2022-42889 You don't often get email from sro...@gmail.com. Learn why this is important

RE: CVE-2022-42889

2022-10-27 Thread Pastrana, Rodrigo (RIS-BCT)
Thanks Steve, you're 100% correct, we're reacting to downstream customers being alerted by scanners to the presence of the "vulnerable" commons-text dependency. We're looking for reliable information to convey downstream. Thanks again. From: Steve Loughran Sent: Thursday, October 27, 2022 12:37

Re: Spark Context Shutodown

2022-10-27 Thread Dongjoon Hyun
Hi, Shrikant. It seems that you are using non-GA features. FYI, since Apache Spark 3.1.1, Kubernetes Support became GA in the community. https://spark.apache.org/releases/spark-release-3-1-1.html In addition, Apache Spark 3.1 reached EOL last month. Could you try the latest distribution li