You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@spark.apache.org by "bjornjorgensen (via GitHub)" <gi...@apache.org> on 2023/03/11 19:50:07 UTC

[GitHub] [spark] bjornjorgensen opened a new pull request, #40381: [SPARK-42761] Upgrade `fabric8:kubernetes-client` to 6.5.0

bjornjorgensen opened a new pull request, #40381:
URL: https://github.com/apache/spark/pull/40381

   ### What changes were proposed in this pull request?
   Upgrade fabric8:kubernetes-client from 6.4.1 to 6.5.0
   
   [Release notes](https://github.com/fabric8io/kubernetes-client/releases/tag/v6.5.0)
   ### Why are the changes needed?
   [CVE-2022-1471](https://www.cve.org/CVERecord?id=CVE-2022-1471)
   
   
   ### Does this PR introduce _any_ user-facing change?
   No.
   
   ### How was this patch tested?
   Pass GA


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #40381: [SPARK-42761][BUILD] Upgrade `fabric8:kubernetes-client` to 6.5.0

Posted by "dongjoon-hyun (via GitHub)" <gi...@apache.org>.

dongjoon-hyun commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1465293060

   @bjornjorgensen . Do you mean you can not trust `winniegy`, the fabric8io community member's comment? He close the issue after that comment.
   ![Screenshot 2023-03-12 at 1 26 33 PM](https://user-images.githubusercontent.com/9700541/224571715-ee1bd3d2-07c6-4097-9f6f-09e08d9c920f.png)
   
   Hence, the migration happens independently from the CVE just for the future release.
   
   In short, the following claim is wrong according to the context.
   > 3 weeks later they merged a PR https://github.com/fabric8io/kubernetes-client/commit/43b04f6cc2cde0b8cebb76c842c09de30c236780 that fix this issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #40381: [SPARK-42761][BUILD] Upgrade `fabric8:kubernetes-client` to 6.5.0

Posted by "dongjoon-hyun (via GitHub)" <gi...@apache.org>.

dongjoon-hyun commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1465293982

   BTW, I have two additional questions for the following PR you referred.
   
   
   1. Do you mean it's the evidence of the previous assessment?
   
   > SafeConstructor ignores LoaderOptions setCodePointLimit() (thanks to Robert Patrick)
   
   2. Do you think the following major version change is safe to us?
   ```
   - <snakeyaml.version>1.33</snakeyaml.version>
   + <snakeyaml.version>2.5</snakeyaml.version>
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #40381: [SPARK-42761][BUILD][K8S] Upgrade `kubernetes-client` to 6.5.0

Posted by "bjornjorgensen (via GitHub)" <gi...@apache.org>.

bjornjorgensen commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1526136105

   Are there any reasons why I need to get this error messages like this one? 
   ![image](https://user-images.githubusercontent.com/47577197/234956928-09d7f2c0-5488-47da-b6bc-b4ecca16f4cc.png)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #40381: [SPARK-42761][BUILD] Upgrade `fabric8:kubernetes-client` to 6.5.0

Posted by "bjornjorgensen (via GitHub)" <gi...@apache.org>.

bjornjorgensen commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1465294879

   ok, I didn't know who this user was. I have updated the PR text now.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #40381: [SPARK-42761] Upgrade `fabric8:kubernetes-client` to 6.5.0

Posted by "bjornjorgensen (via GitHub)" <gi...@apache.org>.

bjornjorgensen commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1465005644

   I did update this PR now with the score from NIST [9.8 CRITICAL](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-1471&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST) 
   
   CC @xinrong-meng


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #40381: [SPARK-42761][BUILD] Upgrade `fabric8:kubernetes-client` to 6.5.0

Posted by "bjornjorgensen (via GitHub)" <gi...@apache.org>.

bjornjorgensen commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1465295815

   Now that it turns out that the information that I have been given is not correct. This change the whole picture with why we should include this PR. I think we can wait until we are done with 3.4 so that we are on the safe side.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #40381: [SPARK-42761][BUILD] Upgrade `fabric8:kubernetes-client` to 6.5.0

Posted by "bjornjorgensen (via GitHub)" <gi...@apache.org>.

bjornjorgensen commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1465158915

   **The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation. Thus, no fix is expected.**
   
   https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-3152153
   
   
   This is part of snakeyaml release notes
   
   2.0 (2023-02-26)
   
   Fix #570: SafeConstructor ignores LoaderOptions setCodePointLimit() (thanks to Robert Patrick)
   
   Update #565: (Backwards-incompatible) Do not allow global tags by default to fix CVE-2022-1471 (thanks to Jonathan Leitschuh)
   
   
   1.32 (2022-09-12)
   
   Fix #547: Set the limit for incoming data to prevent a CVE report in NIST. By default it is 3MB
   
   https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun closed pull request #40381: [SPARK-42761][BUILD][K8S] Upgrade `kubernetes-client` to 6.5.0

Posted by "dongjoon-hyun (via GitHub)" <gi...@apache.org>.

dongjoon-hyun closed pull request #40381: [SPARK-42761][BUILD][K8S] Upgrade `kubernetes-client` to 6.5.0
URL: https://github.com/apache/spark/pull/40381


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #40381: [SPARK-42761][BUILD][K8S] Upgrade `kubernetes-client` to 6.5.0

Posted by "dongjoon-hyun (via GitHub)" <gi...@apache.org>.

dongjoon-hyun commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1526592183

   To @fryz . As @bjornjorgensen mentioned, the answer is no.
   > Will this fix will be backported to other maintained branches (specifically the one I care about is the 3.3 branch)?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #40381: [SPARK-42761][BUILD] Upgrade `fabric8:kubernetes-client` to 6.5.0

Posted by "dongjoon-hyun (via GitHub)" <gi...@apache.org>.

dongjoon-hyun commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1465062311

   If you agree with the above assessment, please remove the misleading CVE information from the PR description, @bjornjorgensen .


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #40381: [SPARK-42761][BUILD] Upgrade `fabric8:kubernetes-client` to 6.5.0

Posted by "bjornjorgensen (via GitHub)" <gi...@apache.org>.

bjornjorgensen commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1465141874

   Well, the comment that you are refereeing to, have a link but I cant get in 
   ![image](https://user-images.githubusercontent.com/47577197/224536606-58b733ab-cfb9-47e6-bf19-485fae5e3f2c.png)
   
   3 weeks later they merged a PR https://github.com/fabric8io/kubernetes-client/commit/43b04f6cc2cde0b8cebb76c842c09de30c236780 that fix this issue. 
   
   And yesterday SNYK open a PR to my repo for this issue. https://github.com/bjornjorgensen/spark/pull/102 
   I can always change the text for this PR, but I haven't seen anything that makes me believe that kubernets-client is not affected by this CVE.
   
       


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #40381: [SPARK-42761] Upgrade `fabric8:kubernetes-client` to 6.5.0

Posted by "bjornjorgensen (via GitHub)" <gi...@apache.org>.

bjornjorgensen commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1464999138

   @dongjoon-hyun FYI 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #40381: [SPARK-42761][BUILD][K8S] Upgrade `kubernetes-client` to 6.5.0

Posted by "bjornjorgensen (via GitHub)" <gi...@apache.org>.

bjornjorgensen commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1516498054

   https://github.com/apache/spark/blob/cd166243ae4e3c8aafd1062994ce9daa94f58253/pom.xml#L213 upgrade from 5.12.2 to 6.5.0 thats alot of work.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] fryz commented on pull request #40381: [SPARK-42761][BUILD][K8S] Upgrade `kubernetes-client` to 6.5.0

Posted by "fryz (via GitHub)" <gi...@apache.org>.

fryz commented on PR #40381:
URL: https://github.com/apache/spark/pull/40381#issuecomment-1516409365

   Hey @dongjoon-hyun, 
   
   Will this fix will be backported to other maintained branches (specifically the one I care about is the 3.3 branch)? 
   
   Thanks! 
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org