oss-sec mailing list archives

Re: CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read via JDBC

From: Seth Arnold <seth.arnold () canonical com>
Date: Fri, 18 Aug 2023 00:20:43 +0000

On Thu, Aug 17, 2023 at 01:07:16PM +0000, Elad Kalif wrote:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-40272


hello Elad, thanks for contacting the oss-security mail list about this
security issue in an Apache project.

I'd like to suggest that your email would be far more useful if it
included details like a direct link to a patch in a source control
system or attached the patch directly.

It is also helpful to know when a flaw was introduced, if this information
is already known.

This particular email has very few details and no references for a fix so
it is very difficult for anyone to take concrete actions.

Here's two recent postings that are far easier for downstream distributors
and consumers alike to use:
https://www.openwall.com/lists/oss-security/2023/04/04/1
https://www.openwall.com/lists/oss-security/2023/03/21/3

I'd like to encourage Apache to use these as inspiration for future
oss-security postings.

Thanks

Attachment: signature.asc
Description:

Current thread:

CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read via JDBC Elad Kalif (Aug 17)
- Re: CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read via JDBC Seth Arnold (Aug 17)