Update GHSA-4x9r-j582-cgr8.json fixed versions

[alowayed]

Update fixed versions for Maven and PyPI ecosystems.

Change last_affected to fixed to more closely match the recommendations in: https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc

Upgrade to supported Apache Spark maintenance release 3.1.3, 3.2.2, or 3.3.0 or later

This could be replaced with:

{
  {"introduced": "0"},
  {"last_affected": "3.0.3"}
},
{
  {"introduced": "3.1.0"},
  {"fixed": "3.1.3"}
},
{
  {"introduced": "3.2.0"},
  {"fixed": "3.2.2"}
}

But given there is no version between 3.0.3 and 3.1.0 this seems unnecessary and potentially confusing.

• https://mvnrepository.com/artifact/org.apache.spark/spark-parent
• https://pypi.org/project/pyspark/#history

This change follows the OSV format recommendations to use fixed instead of last_affected: https://ossf.github.io/osv-schema/#requirements

[JonathanLEvans]

Hi @alowayed, thank you for your interest in the GitHub Advisory Database. The way I read

This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

from https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc, is that 3.1.0 is not affected. Is there somewhere that states that 3.1.0 is affected?

[alowayed]

I was worried that was a mistake on Apache's part. It seems odd to me that version 3.1.0 would be safe while versions 3.1.1 and 3.1.2 are vulnerable. But it's best to stick with exactly what Apache reported. Updated the PR.

[JonathanLEvans]

Hi @alowayed, per https://www.openwall.com/lists/oss-security/2023/05/02/1, 3.1.3 is also affected.