You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Avro 1.11.3 especially fixes CVE-2023-39410 (https://nvd.nist.gov/vuln/detail/CVE-2023-39410).
The fix limit the size of the stream (reading header) to avoid OOME when a stream is corrupted.
It could happen in Arrow Avro adapter, so I propose to update Avro version. I'm preparing a PR about that.
Component(s)
Java
The text was updated successfully, but these errors were encountered:
### Rationale for this change
Upgrade to Avro 1.11.3 to fix CVE-2023-39410
### What changes are included in this PR?
Upgrade to Avro 1.11.3
### Are these changes tested?
Run local tests especially on Avro adapter
### Are there any user-facing changes?
Not directly
* Closes: #39299
Authored-by: JB Onofré <jbonofre@apache.org>
Signed-off-by: David Li <li.davidm96@gmail.com>
### Rationale for this change
Upgrade to Avro 1.11.3 to fix CVE-2023-39410
### What changes are included in this PR?
Upgrade to Avro 1.11.3
### Are these changes tested?
Run local tests especially on Avro adapter
### Are there any user-facing changes?
Not directly
* Closes: apache#39299
Authored-by: JB Onofré <jbonofre@apache.org>
Signed-off-by: David Li <li.davidm96@gmail.com>
dgreiss
pushed a commit
to dgreiss/arrow
that referenced
this issue
Feb 19, 2024
### Rationale for this change
Upgrade to Avro 1.11.3 to fix CVE-2023-39410
### What changes are included in this PR?
Upgrade to Avro 1.11.3
### Are these changes tested?
Run local tests especially on Avro adapter
### Are there any user-facing changes?
Not directly
* Closes: apache#39299
Authored-by: JB Onofré <jbonofre@apache.org>
Signed-off-by: David Li <li.davidm96@gmail.com>
Describe the enhancement requested
Avro 1.11.3 especially fixes CVE-2023-39410 (https://nvd.nist.gov/vuln/detail/CVE-2023-39410).
The fix limit the size of the stream (reading header) to avoid OOME when a stream is corrupted.
It could happen in Arrow Avro adapter, so I propose to update Avro version. I'm preparing a PR about that.
Component(s)
Java
The text was updated successfully, but these errors were encountered: