Vulnerability patching

[thien1212381]

I used safetycli to scan and found some vulnerabilities.
16 vulnerabilities were found in 7 packages
....
-> Vulnerability found in pyspark version 3.0.0
Vulnerability ID: 54370
Affected spec: >=0,<3.1.3
ADVISORY: Apache Spark supports end-to-end encryption of RPC
connections via "spark.authenticate" and "spark.network.crypto.enabled"....
CVE-2021-38296
For more information, please visit
https://data.safetycli.com/v/54370/f17

-> Vulnerability found in pyspark version 3.0.0
Vulnerability ID: 54576
Affected spec: >=0,<3.2.2
ADVISORY: A stored cross-site scripting (XSS) vulnerability in Apache
Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute...
CVE-2022-31777
For more information, please visit
https://data.safetycli.com/v/54576/f17

-> Vulnerability found in pyspark version 3.0.0
Vulnerability ID: 54694
Affected spec: <=3.0.3
ADVISORY: The Apache Spark UI offers the possibility to enable ACLs
via the configuration option spark.acls.enable. With an authentication...
CVE-2022-33891
For more information, please visit
https://data.safetycli.com/v/54694/f17

[thien1212381]

can we update python version image in github action jobs (for install dependencies step) to 3.9? @mou

[mike0sv]

Hey @thien1212381 ! You updated dependencies in requirements.min.txt, which is used only for testing for backward-compatibility in CI. Can you run this tool for actual requirements that are in setup.py?

[rxm7706]

Additionally - Currently an Open CVE on Pyarrow https://nvd.nist.gov/vuln/detail/CVE-2023-47248 is flagged with evidently - because of pyarrow <14.0.1
Reference : #862 (comment)

[emeli-dral]

Hey!
pydantic version is already upgraded to be >=1.10.14;
pyspark will be upgraded as well in #1008