Description: In Apache Spark 2.4.5 and earlier, a standalone resource manager’s master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application’s resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).
Maintainers, please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=517a73e1a50509ad8f834400a45eb9a987fe35b9 commit 517a73e1a50509ad8f834400a45eb9a987fe35b9 Author: Alec Ten Harmsel <alec@alectenharmsel.com> AuthorDate: 2020-06-23 10:43:02 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-07-16 14:38:42 +0000 sys-cluster/spark-bin: Remove 2.4.5 Insecure (see CVE-2020-9480). Bug: https://bugs.gentoo.org/729222 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Alec Ten Harmsel <alec@alectenharmsel.com> Closes: https://github.com/gentoo/gentoo/pull/16383 Signed-off-by: Joonas Niilola <juippis@gentoo.org> sys-cluster/spark-bin/Manifest | 1 - sys-cluster/spark-bin/spark-bin-2.4.5.ebuild | 61 ---------------------------- 2 files changed, 62 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c182e63b5cb2e159edd60c2ebaebfefe46504d9 commit 9c182e63b5cb2e159edd60c2ebaebfefe46504d9 Author: Alec Ten Harmsel <alec@alectenharmsel.com> AuthorDate: 2020-06-23 10:39:15 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-07-16 14:38:42 +0000 sys-cluster/spark-bin: Bump to 2.4.6 2.4.5 and earlier are insecure (see CVE-2020-9480). Bug: https://bugs.gentoo.org/729222 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Alec Ten Harmsel <alec@alectenharmsel.com> Signed-off-by: Joonas Niilola <juippis@gentoo.org> sys-cluster/spark-bin/Manifest | 1 + sys-cluster/spark-bin/spark-bin-2.4.6.ebuild | 61 ++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+)
Thanks. All done.
All done, noglsa, closing.