[Security] Bump aircompressor and commons-compress to fix cve problems

[Smith-Cruise]

┌────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                      Library                       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ io.airlift:aircompressor (paimon-bundle-0.8.2.jar) │ CVE-2024-36114 │ HIGH     │ fixed  │ 0.21              │ 0.27          │ Decompressors can crash the JVM and leak memory content in  │
│                                                    │                │          │        │                   │               │ Aircompressor                                               │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-36114                  │
├────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.commons:commons-compress                │ CVE-2024-25710 │          │        │ 1.22              │ 1.26.0        │ commons-compress: Denial of service caused by an infinite   │
│ (paimon-bundle-0.8.2.jar)                          │                │          │        │                   │               │ loop for a corrupted...                                     │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-25710                  │
│                                                    ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2024-26308 │          │        │                   │               │ commons-compress: OutOfMemoryError unpacking broken Pack200 │
│                                                    │                │          │        │                   │               │ file                                                        │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26308                  │
│                                                    ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2023-42503 │ MEDIUM   │        │                   │ 1.24.0        │ apache-commons-compress: Denial of service via CPU          │
│                                                    │                │          │        │                   │               │ consumption for malformed TAR file                          │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42503                  │
└────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Purpose

fix it

Tests

API and Format

Documentation

[JingsongLi]

You should bundle this in paimon-format

[Smith-Cruise]

Did you mean move commons-compress to paimon-format ?

[JingsongLi]

Yes.

[Smith-Cruise]

for avro, I didn't know why ut can't passed.

I've tried bumping avro to 1.12.0, but ci failed.

[JingsongLi]

+1