[
https://issues.apache.org/jira/browse/PARQUET-1894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17169795#comment-17169795
]
Gabor Szadovszky commented on PARQUET-1894:
-------------------------------------------
To summarize Avro has breaking changes between 1.8.x and 1.9.x and also in
1.10.x (because in Avro versioning scheme these are major releases). Parquet
1.10.x depends on Avro 1.8.x, Parquet 1.11.x depends on Avro 1.9.x and Parquet
1.12.x will depend on Avro 1.10.x. Spark is still struggling to upgrade to
Parquet 1.11.0 because of the Avro breaking changes.
(Theoretically, the only breaking change between Avro 1.9.x and 1.10.x is the
removal of jodatime, so it should not be a big deal to upgrade to Parquet
1.12.x after 1.11.x.)
> Please fix the related Shaded Jackson Databind CVEs
> ---------------------------------------------------
>
> Key: PARQUET-1894
> URL: https://issues.apache.org/jira/browse/PARQUET-1894
> Project: Parquet
> Issue Type: Bug
> Components: parquet-mr
> Affects Versions: 1.11.0
> Reporter: Rodney Aaron Stainback
> Priority: Major
>
> The following CVEs are all related to version 2.9.10 of Jackson databind
> which you shade
> |cve|severity|cvss|
> |CVE-2019-16942|critical|9.8|
> |CVE-2019-16943|critical|9.8|
> |CVE-2019-17531|critical|9.8|
> |CVE-2019-20330|critical|9.8|
> |CVE-2020-10672|high|8.8|
> |CVE-2020-10673|high|8.8|
> |CVE-2020-10968|high|8.8|
> |CVE-2020-10969|high|8.8|
> |CVE-2020-11111|high|8.8|
> |CVE-2020-11112|high|8.8|
> |CVE-2020-11113|high|8.8|
> |CVE-2020-11619|critical|9.8|
> |CVE-2020-11620|critical|9.8|
> |CVE-2020-14060|high|8.1|
> |CVE-2020-14061|high|8.1|
> |CVE-2020-14062|high|8.1|
> |CVE-2020-14195|high|8.1|
> |CVE-2020-8840|critical|9.8|
> |CVE-2020-9546|critical|9.8|
> |CVE-2020-9547|critical|9.8|
> |CVE-2020-9548|critical|9.8|
>
> Our security team is trying to block us from using parquet files because of
> this issue
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
