[Java]: Upgrade to Avro 1.11.3 #39299
Comments
jbonofre
added a commit
to jbonofre/arrow
that referenced
this issue
Dec 19, 2023
lidavidm
pushed a commit
that referenced
this issue
Dec 19, 2023
### Rationale for this change Upgrade to Avro 1.11.3 to fix CVE-2023-39410 ### What changes are included in this PR? Upgrade to Avro 1.11.3 ### Are these changes tested? Run local tests especially on Avro adapter ### Are there any user-facing changes? Not directly * Closes: #39299 Authored-by: JB Onofré <jbonofre@apache.org> Signed-off-by: David Li <li.davidm96@gmail.com>
clayburn
pushed a commit
to clayburn/arrow
that referenced
this issue
Jan 23, 2024
### Rationale for this change Upgrade to Avro 1.11.3 to fix CVE-2023-39410 ### What changes are included in this PR? Upgrade to Avro 1.11.3 ### Are these changes tested? Run local tests especially on Avro adapter ### Are there any user-facing changes? Not directly * Closes: apache#39299 Authored-by: JB Onofré <jbonofre@apache.org> Signed-off-by: David Li <li.davidm96@gmail.com>
dgreiss
pushed a commit
to dgreiss/arrow
that referenced
this issue
Feb 19, 2024
### Rationale for this change Upgrade to Avro 1.11.3 to fix CVE-2023-39410 ### What changes are included in this PR? Upgrade to Avro 1.11.3 ### Are these changes tested? Run local tests especially on Avro adapter ### Are there any user-facing changes? Not directly * Closes: apache#39299 Authored-by: JB Onofré <jbonofre@apache.org> Signed-off-by: David Li <li.davidm96@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the enhancement requested
Avro 1.11.3 especially fixes CVE-2023-39410 (https://nvd.nist.gov/vuln/detail/CVE-2023-39410).
The fix limit the size of the stream (reading header) to avoid OOME when a stream is corrupted.
It could happen in Arrow Avro adapter, so I propose to update Avro version. I'm preparing a PR about that.
Component(s)
Java
The text was updated successfully, but these errors were encountered: