[jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543

Sangeeth Keeriyadath (Jira) Thu, 24 Oct 2019 06:12:23 -0700

Sangeeth Keeriyadath created ARROW-6984:
-------------------------------------------


             Summary: Update LZ4 to 1.9.2 for CVE-2019-17543
                 Key: ARROW-6984
                 URL: https://issues.apache.org/jira/browse/ARROW-6984
             Project: Apache Arrow
          Issue Type: Wish
          Components: C++
    Affects Versions: 0.15.0
            Reporter: Sangeeth Keeriyadath
             Fix For: 0.15.1


There is a reported CVE that LZ4 before 1.9.2 has a heap-based buffer overflow 
in LZ4_write32 (More details in here - 
[https://nvd.nist.gov/vuln/detail/CVE-2019-17543] ). I see that Apache Arrow 
uses *v1.8.3* version ( 
[https://github.com/apache/arrow/blob/47e5ecafa72b70112a64a1174b29b9db45f803ef/cpp/thirdparty/versions.txt#L38]
 ).

We need to bump up the dependency version of LZ4 to *1.9.2* to get past the 
reported CVE. Thank you!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543

Reply via email to