Sangeeth Keeriyadath created ARROW-6984: -------------------------------------------
Summary: Update LZ4 to 1.9.2 for CVE-2019-17543 Key: ARROW-6984 URL: https://issues.apache.org/jira/browse/ARROW-6984 Project: Apache Arrow Issue Type: Wish Components: C++ Affects Versions: 0.15.0 Reporter: Sangeeth Keeriyadath Fix For: 0.15.1 There is a reported CVE that LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (More details in here - [https://nvd.nist.gov/vuln/detail/CVE-2019-17543] ). I see that Apache Arrow uses *v1.8.3* version ( [https://github.com/apache/arrow/blob/47e5ecafa72b70112a64a1174b29b9db45f803ef/cpp/thirdparty/versions.txt#L38] ). We need to bump up the dependency version of LZ4 to *1.9.2* to get past the reported CVE. Thank you! -- This message was sent by Atlassian Jira (v8.3.4#803005)