Thanks Sean, I assume Spark's not affected because it either doesn't reference the affected API(s) or because it does not unsafely utilize user input through the vulnerable API(s), but is there an official statement about this from Spark? We weren't able to find references to 2022-42889 here: https://spark.apache.org/security.html (likely because Spark determined it is not affected?)
From: Sean Owen <sro...@gmail.com> Sent: Thursday, October 27, 2022 10:27 AM To: Pastrana, Rodrigo (RIS-BCT) <rodrigo.pastr...@lexisnexisrisk.com.invalid> Cc: dev@spark.apache.org Subject: Re: CVE-2022-42889 You don't often get email from sro...@gmail.com<mailto:sro...@gmail.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> *** External email: use caution *** Probably a few months between maintenance releases. It does not appear to affect Spark, however. On Thu, Oct 27, 2022 at 9:24 AM Pastrana, Rodrigo (RIS-BCT) <rodrigo.pastr...@lexisnexisrisk.com.invalid<mailto:rodrigo.pastr...@lexisnexisrisk.com.invalid>> wrote: Hello, This issue (SPARK-40801)<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FSPARK-40801&data=05%7C01%7CRodrigo.Pastrana%40lexisnexisrisk.com%7C507dc12538bf44d2646d08dab8276a76%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C638024776687375556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wZV1KpRw248DOPuWkJ2qjDNK9DwN4zFIgL6z2g0MOkw%3D&reserved=0> which addresses CVE-2022-42889 doesn't seem to have been included in the latest release (3.3.1<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspark.apache.org%2Freleases%2Fspark-release-3-3-1.html&data=05%7C01%7CRodrigo.Pastrana%40lexisnexisrisk.com%7C507dc12538bf44d2646d08dab8276a76%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C638024776687375556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aJXVwPl36j83CFFM%2F1jKDhSIm7mCNwRozMpXCt8dvDQ%3D&reserved=0>). Is there a way to estimate a timeline for the first release which includes that change (likely 3.3.2)? Much appreciation! ________________________________ The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. ________________________________ The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.
