CVE-2021-42343 (https://github.com/dask/dask/releases): An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution. These references aren't very useful, I can't tell if this is actually in the changelog.
For the record, I think we're not affected since we lastrited distributed long time ago. However, I suppose some users may readd it locally.
I suspect the following commit in dask/distributed fixes it: commit afce4be8e05fb180e50a9d9e38465f1a82295e1b Author: Jim Crist-Harif <jcrist@users.noreply.github.com> Date: 2021-10-14 23:21:56 +0200 Pass `host` through `LocalCluster` to workers (#5427) Previously the `host` parameter to `LocalCluster` would only be forwarded to `Scheduler` instances and not `Worker`/`Nanny` instances, leading to workers listening on non-localhost in some configurations. This fixes that and adds a test. Co-authored-by: James Bourbeau <jrbourbeau@gmail.com> This is included in distributed 2021.10.0 but as I said, we don't package that anymore.
Thanks, this can be invalid then. I asked MITRE about the useless references anyway, but haven't gotten a response.