(arrow-site) branch main updated: [Website] Update security page with latest CVE (#433)

Thu, 16 Nov 2023 13:24:34 -0800 

This is an automated email from the ASF dual-hosted git repository.

kou pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-site.git


The following commit(s) were added to refs/heads/main by this push:
     new d4efc8b61f4 [Website] Update security page with latest CVE (#433)
d4efc8b61f4 is described below

commit d4efc8b61f4fc2f45ac2020552822685a6c9ec19
Author: Antoine Pitrou <[email protected]>
AuthorDate: Thu Nov 16 22:23:26 2023 +0100

    [Website] Update security page with latest CVE (#433)
    
    Update security page with reference to
    https://www.cve.org/CVERecord?id=CVE-2023-47248.
    
    Also fix links to older CVEs to use the new official URLs.
---
 security.md | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/security.md b/security.md
index 00dd1842dc5..32924f95bff 100644
--- a/security.md
+++ b/security.md
@@ -12,7 +12,23 @@ To report a possible security vulnerability, please email 
[[email protected].
 
 <hr class="my-5">
 
-### 
[CVE-2019-12408](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12408):
 Uninitialized Memory in C++ ArrayBuilder
+### [CVE-2023-47248](https://www.cve.org/CVERecord?id=CVE-2023-47248): 
Arbitrary code execution when loading a malicious data file in PyArrow
+
+**Severity**: Critical
+
+**Vendor**: The Apache Software Foundation
+
+**Versions affected**: 0.14.0 to 14.0.0
+
+**Description**: Deserialization of untrusted data in IPC and Parquet readers
+in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution.
+An application is vulnerable if it reads Arrow IPC, Feather or Parquet data
+from untrusted sources (for example user-supplied input files).
+
+**Mitigation**: Upgrade to version 14.0.1 or greater. If not possible, use the
+provided [hotfix package](https://pypi.org/project/pyarrow-hotfix/).
+
+### [CVE-2019-12408](https://www.cve.org/CVERecord?id=CVE-2019-12408): 
Uninitialized Memory in C++ ArrayBuilder
 
 **Severity**: High
 
@@ -24,9 +40,7 @@ To report a possible security vulnerability, please email 
[[email protected].
 
 **Mitigation**: Upgrade to version 0.15.1 or greater.
 
-<hr class="my-5">
-
-### 
[CVE-2019-12410](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12410):
 Uninitialized Memory in C++ Reading from Parquet
+### [CVE-2019-12410](https://www.cve.org/CVERecord?id=CVE-2019-12410): 
Uninitialized Memory in C++ Reading from Parquet
 
 **Severity**: High

Reply via email to