[jira] [Commented] (HADOOP-18950) upgrade avro to 1.11.3 due to CVE

Tue, 12 Mar 2024 13:00:08 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17825784#comment-17825784
 ] 

ASF GitHub Bot commented on HADOOP-18950:
-----------------------------------------

steveloughran commented on code in PR #4854:
URL: https://github.com/apache/hadoop/pull/4854#discussion_r1522032834


##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java:
##########
@@ -27,7 +27,7 @@
 import java.util.Optional;
 import java.util.regex.Pattern;
 
-import org.apache.avro.reflect.Stringable;
+import org.apache.hadoop.thirdparty.avro.reflect.Stringable;

Review Comment:
   This could be dangerous, as we are saying that a public class can no longer 
be serialised through Avro.
   
   Do you think it will be possible for us to retain the unshaded annotation as 
well as adding the new one? And still have everything to work without Avro on 
the CP?



##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AvroFSInput.java:
##########
@@ -21,7 +21,7 @@
 import java.io.Closeable;
 import java.io.IOException;
 
-import org.apache.avro.file.SeekableInput;
+import org.apache.hadoop.thirdparty.avro.file.SeekableInput;

Review Comment:
   again, this is a public class we don't use internally.
   
   Should we actually deprecate it? I don't know what uses it?





> upgrade avro to 1.11.3 due to CVE
> ---------------------------------
>
>                 Key: HADOOP-18950
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18950
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>            Reporter: Xuze Yang
>            Priority: Major
>              Labels: pull-request-available
>
> [https://nvd.nist.gov/vuln/detail/CVE-2023-39410]
> When deserializing untrusted or corrupted data, it is possible for a reader 
> to consume memory beyond the allowed constraints and thus lead to out of 
> memory on the system. This issue affects Java applications using Apache Avro 
> Java SDK up to and including 1.11.2. Users should update to apache-avro 
> version 1.11.3 which addresses this issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to