This is an automated email from the ASF dual-hosted git repository. gurwls223 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push: new 9933e9c2c54 [SPARK-45323][BUILD] Upgrade `snappy` to 1.1.10.4 9933e9c2c54 is described below commit 9933e9c2c54e7081ef3f23c4b3804d3ecdd175ff Author: Bjørn Jørgensen <bjornjorgen...@gmail.com> AuthorDate: Tue Sep 26 19:57:46 2023 +0900 [SPARK-45323][BUILD] Upgrade `snappy` to 1.1.10.4 ### What changes were proposed in this pull request? Upgrade snappy from 1.1.10.3 to 1.1.10.4 ### Why are the changes needed? Security Fix Fixed SnappyInputStream so as not to allocate too large memory when decompressing data with an extremely large chunk size by tunnelshade ([code change](https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5)) This does not affect users only using Snappy.compress/uncompress methods [Release note](https://github.com/xerial/snappy-java/releases) Details While performing mitigation efforts related to [CVE-2023-34455](https://nvd.nist.gov/vuln/detail/CVE-2023-34455) in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in [this](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea) commit. The check on [line 421](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e536102670929 [...] ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA ### Was this patch authored or co-authored using generative AI tooling? No. Closes #43108 Closes #43109 from bjornjorgensen/snappy_compress. Authored-by: Bjørn Jørgensen <bjornjorgen...@gmail.com> Signed-off-by: Hyukjin Kwon <gurwls...@apache.org> --- dev/deps/spark-deps-hadoop-3-hive-2.3 | 2 +- pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3 b/dev/deps/spark-deps-hadoop-3-hive-2.3 index f11a7d757f1..206361e1efa 100644 --- a/dev/deps/spark-deps-hadoop-3-hive-2.3 +++ b/dev/deps/spark-deps-hadoop-3-hive-2.3 @@ -240,7 +240,7 @@ shims/0.9.45//shims-0.9.45.jar slf4j-api/2.0.9//slf4j-api-2.0.9.jar snakeyaml-engine/2.6//snakeyaml-engine-2.6.jar snakeyaml/2.0//snakeyaml-2.0.jar -snappy-java/1.1.10.3//snappy-java-1.1.10.3.jar +snappy-java/1.1.10.4//snappy-java-1.1.10.4.jar spire-macros_2.13/0.18.0//spire-macros_2.13-0.18.0.jar spire-platform_2.13/0.18.0//spire-platform_2.13-0.18.0.jar spire-util_2.13/0.18.0//spire-util_2.13-0.18.0.jar diff --git a/pom.xml b/pom.xml index 33dc854dd26..5fd3e173857 100644 --- a/pom.xml +++ b/pom.xml @@ -188,7 +188,7 @@ <fasterxml.jackson.databind.version>2.15.2</fasterxml.jackson.databind.version> <ws.xmlschema.version>2.3.0</ws.xmlschema.version> <org.glassfish.jaxb.txw2.version>3.0.2</org.glassfish.jaxb.txw2.version> - <snappy.version>1.1.10.3</snappy.version> + <snappy.version>1.1.10.4</snappy.version> <netlib.ludovic.dev.version>3.0.3</netlib.ludovic.dev.version> <commons-codec.version>1.16.0</commons-codec.version> <commons-compress.version>1.24.0</commons-compress.version> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org