Thanks for the clarification, Holden.
However, we maintain our own Spark version and cherry pick critical patches
from the community. It’s not clear which patch we should apply here.
Holden Karau 于2022年3月10日 周四上午7:04写道:
> CVEs are generally not mentioned in the release notes or JIRA instead we
CVEs are generally not mentioned in the release notes or JIRA instead we
track them at https://spark.apache.org/security.html once they are resolved
(prior to the resolution the reports goes to secur...@spark.apache.org) to
allow the project time to fix the issue before public disclosure so there
Hi Sean,
I don't find it in 3.1.3 release notes
https://spark.apache.org/releases/spark-release-3-1-3.html. Is it tracked
somewhere?
On Thu, Mar 10, 2022 at 6:14 AM Sean R. Owen wrote:
> Severity: moderate
>
> Description:
>
> Apache Spark supports end-to-end encryption of RPC connections via
Severity: moderate
Description:
Apache Spark supports end-to-end encryption of RPC connections via
"spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and
earlier, it uses a bespoke mutual authentication protocol that allows for full
encryption key recovery. After an
