Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: bump pyarrow constraints (CVE-2023-47248) #26187

Merged
merged 1 commit into from
Dec 11, 2023
Merged

fix: bump pyarrow constraints (CVE-2023-47248) #26187

merged 1 commit into from
Dec 11, 2023

Conversation

cwegener
Copy link
Contributor

@cwegener cwegener commented Dec 5, 2023

PyArrow < 14.0.1 is vulnerable to RCE when using IPC, Flight or Parquet
from untrusted sources.

Superset SQLLab does so.

So we need to care about this vulnerability.

@cwegener
chore: bump pyarrow constraints (CVE-2023-47248)
39647dd 
PyArrow < 14.0.1 is vulnerable to RCE when using IPC, Flight or Parquet
from untrusted sources.

Superset SQLLab does so.

So we need to care about this vulnerability.
@codecov Codecov
Copy link

codecov bot commented Dec 5, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (d2cce51) 69.15% compared to head (39647dd) 67.00%.
Report is 12 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #26187      +/-   ##
==========================================
- Coverage   69.15%   67.00%   -2.16%     
==========================================
  Files        1944     1944              
  Lines       75925    75925              
  Branches     8451     8451              
==========================================
- Hits        52505    50871    -1634     
- Misses      21235    22869    +1634     
  Partials     2185     2185
Flag Coverage Δ
hive ?
mysql 78.07% <ø> (ø)
postgres 78.19% <ø> (?)
presto ?
python 78.33% <ø> (-4.48%) ⬇️
sqlite 76.85% <ø> (ø)
unit ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cwegener cwegener changed the title chore: bump pyarrow constraints (CVE-2023-47248) fix: bump pyarrow constraints (CVE-2023-47248) Dec 5, 2023
@sfirke
Copy link
Member

sfirke commented Dec 7, 2023

Fixes #26153

@cwegener cwegener mentioned this pull request Dec 7, 2023
Closed
3 tasks
@cwegener
Copy link
Contributor Author

cwegener commented Dec 7, 2023

Fixes #26153

Only partially. 😉 as explained in my comment in #26153

@rusackas rusackas added 2.1.3 v2.1 v3.1 Label added by the release manager to track PRs to be included in the 3.1 branch v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch labels Dec 8, 2023
@michael-s-molina michael-s-molina merged commit 2ac2892 into apache:master Dec 11, 2023
33 checks passed
michael-s-molina pushed a commit that referenced this pull request Dec 11, 2023
@cwegener @michael-s-molina
fix: bump pyarrow constraints (CVE-2023-47248) (#26187)
be81aaa 
(cherry picked from commit 2ac2892)
michael-s-molina pushed a commit that referenced this pull request Dec 15, 2023
@cwegener @michael-s-molina
fix: bump pyarrow constraints (CVE-2023-47248) (#26187)
c99c630 
(cherry picked from commit 2ac2892)
sadpandajoe added a commit to preset-io/superset that referenced this pull request Dec 18, 2023
@sadpandajoe
Revert "fix: bump pyarrow constraints (CVE-2023-47248) (apache#26187)"
c39e562 
This reverts commit 2ac2892.
@eschutho eschutho mentioned this pull request Dec 18, 2023
Closed
3 tasks
josedev-union pushed a commit to Ortege-xyz/studio that referenced this pull request Jan 22, 2024
@cwegener @josedev-union
fix: bump pyarrow constraints (CVE-2023-47248) (apache#26187)
00f1ab9 
(cherry picked from commit 2ac2892)
@mistercrunch mistercrunch added 🍒 3.0.3 🍒 3.0.4 🍒 3.1.0 🍒 3.1.1 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels labels Mar 8, 2024
sfirke pushed a commit to sfirke/superset that referenced this pull request Mar 22, 2024
@cwegener @sfirke
fix: bump pyarrow constraints (CVE-2023-47248) (apache#26187)
7d8bfb3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dpgaspar dpgaspar dpgaspar approved these changes

Assignees
No one assigned
Labels
2.1.3 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/XS v2.1 v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch v3.1 Label added by the release manager to track PRs to be included in the 3.1 branch 🍒 3.0.3 🍒 3.0.4 🍒 3.1.0 🍒 3.1.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@cwegener @sfirke @dpgaspar @mistercrunch @rusackas @michael-s-molina