[ https://issues.apache.org/jira/browse/SPARK-26802?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Imran Rashid resolved SPARK-26802. ---------------------------------- Resolution: Fixed > CVE-2018-11760: Apache Spark local privilege escalation vulnerability > --------------------------------------------------------------------- > > Key: SPARK-26802 > URL: https://issues.apache.org/jira/browse/SPARK-26802 > Project: Spark > Issue Type: Bug > Components: PySpark, Security > Affects Versions: 1.6.3, 2.0.2, 2.1.3, 2.2.2 > Reporter: Imran Rashid > Assignee: Luca Canali > Priority: Blocker > Fix For: 2.4.0, 2.3.2, 2.2.3 > > > Severity: Important > Vendor: The Apache Software Foundation > Versions affected: > All Spark 1.x, Spark 2.0.x, and Spark 2.1.x versions > Spark 2.2.0 to 2.2.2 > Spark 2.3.0 to 2.3.1 > Description: > When using PySpark , it's possible for a different local user to connect to > the Spark application and impersonate the user running the Spark application. > This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. > Mitigation: > 1.x, 2.0.x, 2.1.x, and 2.2.x users should upgrade to 2.2.3 or newer > 2.3.x users should upgrade to 2.3.2 or newer > Otherwise, affected users should avoid using PySpark in multi-user > environments. > Credit: > This issue was reported by Luca Canali and Jose Carlos Luna Duran from CERN. > References: > https://spark.apache.org/security.html > This was fixed by > https://github.com/apache/spark/commit/15fc2372269159ea2556b028d4eb8860c4108650 > https://github.com/apache/spark/commit/8080c937d3752aee2fd36f0045a057f7130f6fe4 > https://github.com/apache/spark/commit/a5624c7ae29d6d49117dd78642879bf978212d30 -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org