You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by va...@apache.org on 2018/09/05 16:35:38 UTC
spark-website git commit: Clarify CVE-2018-8024 doesn't affect 1.6,
2.0
Repository: spark-website
Updated Branches:
refs/heads/asf-site afdb6cbb8 -> 0bfb69b9b
Clarify CVE-2018-8024 doesn't affect 1.6, 2.0
See discussion on private; CC vanzin
Author: Sean Owen <se...@databricks.com>
Closes #142 from srowen/Amend8024.
Project: http://git-wip-us.apache.org/repos/asf/spark-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/spark-website/commit/0bfb69b9
Tree: http://git-wip-us.apache.org/repos/asf/spark-website/tree/0bfb69b9
Diff: http://git-wip-us.apache.org/repos/asf/spark-website/diff/0bfb69b9
Branch: refs/heads/asf-site
Commit: 0bfb69b9b07c5c3124cd2b74a3fae90d0c0e721f
Parents: afdb6cb
Author: Sean Owen <se...@databricks.com>
Authored: Wed Sep 5 09:35:31 2018 -0700
Committer: Marcelo Vanzin <va...@cloudera.com>
Committed: Wed Sep 5 09:35:31 2018 -0700
----------------------------------------------------------------------
security.md | 6 +++---
site/security.html | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/spark-website/blob/0bfb69b9/security.md
----------------------------------------------------------------------
diff --git a/security.md b/security.md
index 19231f6..9883d62 100644
--- a/security.md
+++ b/security.md
@@ -61,13 +61,13 @@ Severity: Medium
Versions Affected:
-- Spark versions through 2.1.2
+- Spark 2.1.0 through 2.1.2
- Spark 2.2.0 through 2.2.1
- Spark 2.3.0
Description:
-In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious
+In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious
user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can
be tricked into accessing the URL, can be used to cause script to execute and expose information from
the user's view of the Spark UI. While some browsers like recent versions of Chrome and Safari are
@@ -75,7 +75,7 @@ able to block this type of attack, current versions of Firefox (and possibly oth
Mitigation:
-- 1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer
+- 2.1.x users should upgrade to 2.1.3 or newer
- 2.2.x users should upgrade to 2.2.2 or newer
- 2.3.x users should upgrade to 2.3.1 or newer
http://git-wip-us.apache.org/repos/asf/spark-website/blob/0bfb69b9/site/security.html
----------------------------------------------------------------------
diff --git a/site/security.html b/site/security.html
index 4e42fe7..05af056 100644
--- a/site/security.html
+++ b/site/security.html
@@ -258,14 +258,14 @@ from running jobs in cluster mode. Alternatively, they can ensure access to the
<p>Versions Affected:</p>
<ul>
- <li>Spark versions through 2.1.2</li>
+ <li>Spark 2.1.0 through 2.1.2</li>
<li>Spark 2.2.0 through 2.2.1</li>
<li>Spark 2.3.0</li>
</ul>
<p>Description:</p>
-<p>In Apache Spark up to and including 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it’s possible for a malicious
+<p>In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it’s possible for a malicious
user to construct a URL pointing to a Spark cluster’s UI’s job and stage info pages, and if a user can
be tricked into accessing the URL, can be used to cause script to execute and expose information from
the user’s view of the Spark UI. While some browsers like recent versions of Chrome and Safari are
@@ -274,7 +274,7 @@ able to block this type of attack, current versions of Firefox (and possibly oth
<p>Mitigation:</p>
<ul>
- <li>1.x, 2.0.x, and 2.1.x users should upgrade to 2.1.3 or newer</li>
+ <li>2.1.x users should upgrade to 2.1.3 or newer</li>
<li>2.2.x users should upgrade to 2.2.2 or newer</li>
<li>2.3.x users should upgrade to 2.3.1 or newer</li>
</ul>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org