Skip to content

[Hotfix] Bump parquet-avro to 1.15.2 to fix CVE #3580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xxubai merged 11 commits into from
May 30, 2025
Merged

[Hotfix] Bump parquet-avro to 1.15.2 to fix CVE #3580

xxubai merged 11 commits into from
May 30, 2025

Conversation

@xxubai
Copy link
Contributor

@xxubai xxubai commented May 27, 2025
edited
Loading

Why are the changes needed?

Some projects were updated parquet-avro version to fix CVE, we should fix it ASAP:

Brief change log

How was this patch tested?

  • Add some test cases that check the changes thoroughly including negative and positive cases if possible

  • Add screenshots for manual tests if appropriate

  • Run test locally before making a pull request

Documentation

  • Does this pull request introduce a new feature? (no)
  • If yes, how is the feature documented? (not documented)

@github-actions github-actions bot added module:mixed-spark Spark module for Mixed Format module:mixed-trino trino module for Mixed Format type:build module:common labels May 27, 2025
czy006
czy006 reviewed May 28, 2025
View reviewed changes
pom.xml Outdated
<derby-jdbc.version>10.14.2.0</derby-jdbc.version>
<commons-dbcp2.version>2.9.0</commons-dbcp2.version>
<netty.version>4.1.86.Final</netty.version>
<netty.version>4.1.100.Final</netty.version>
Copy link
Contributor

@czy006 czy006 May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about 4.1.112.Final,iceberg 1.6.1 use this version

Copy link
Contributor Author

@xxubai xxubai May 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I give up upgrading netty version since it has some confilcts.
It's clean if only upgrade parquet-avro

@codecov-commenter
Copy link

codecov-commenter commented May 28, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 21.76%. Comparing base (58c6013) to head (e6bcbb5).
Report is 1 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff            @@
##             master    #3580   +/-   ##
=========================================
  Coverage     21.76%   21.76%           
  Complexity     2391     2391           
=========================================
  Files           431      431           
  Lines         40501    40501           
  Branches       5745     5745           
=========================================
  Hits           8816     8816           
  Misses        30938    30938           
  Partials        747      747
Flag Coverage Δ
trino 21.76% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@czy006
Copy link
Contributor

czy006 commented May 29, 2025

I have submitted a similar PR-3174, you can check if it helps

@xxubai xxubai changed the title [Hotfix] Bump parquet-avro to 1.15.2 and netty to fix CVE [Hotfix] Bump parquet-avro to 1.15.2 to fix CVE May 29, 2025
@xxubai xxubai requested a review from czy006 May 29, 2025 15:31
@xxubai xxubai merged commit 50e8ece into apache:master May 30, 2025
6 checks passed
@xxubai xxubai deleted the fix-cve branch May 30, 2025 03:27
@Jzjsnow Jzjsnow mentioned this pull request Aug 11, 2025
Closed
52 tasks
Jzjsnow pushed a commit to Jzjsnow/amoro that referenced this pull request Aug 20, 2025
@xxubai @czy006 @Jzjsnow
[Hotfix] Bump parquet-avro to 1.15.2 to fix CVE (apache#3580)
3f208ee 
* Fix CVE-2025-30065 and CVE-2025-24970

* fix: add exclusion for parquet-hadoop dependency in pom.xml

* fix: update expected value in TestKeyedTable to reflect correct data

* fix: remove unused parquet dependencies and add TODO for future JDK upgrade

* fix: update parquet-avro version to 1.15.2

* fix: downgrade netty version to 4.1.100.Final

* fix: update netty version to 4.1.112.Final

* remove netty

---------

Co-authored-by: ConradJam <jam.gzczy@gmail.com>
(cherry picked from commit 50e8ece)
zhoujinsong pushed a commit that referenced this pull request Aug 25, 2025
@xxubai @czy006 @zhoujinsong
[Hotfix] Bump parquet-avro to 1.15.2 to fix CVE (#3580)
8790b74 
* Fix CVE-2025-30065 and CVE-2025-24970

* fix: add exclusion for parquet-hadoop dependency in pom.xml

* fix: update expected value in TestKeyedTable to reflect correct data

* fix: remove unused parquet dependencies and add TODO for future JDK upgrade

* fix: update parquet-avro version to 1.15.2

* fix: downgrade netty version to 4.1.100.Final

* fix: update netty version to 4.1.112.Final

* remove netty

---------

Co-authored-by: ConradJam <jam.gzczy@gmail.com>
(cherry picked from commit 50e8ece)
xxubai added a commit to xxubai/amoro that referenced this pull request Oct 14, 2025
@xxubai @czy006
[Hotfix] Bump parquet-avro to 1.15.2 to fix CVE (apache#3580)
a0b8c98 
* Fix CVE-2025-30065 and CVE-2025-24970

* fix: add exclusion for parquet-hadoop dependency in pom.xml

* fix: update expected value in TestKeyedTable to reflect correct data

* fix: remove unused parquet dependencies and add TODO for future JDK upgrade

* fix: update parquet-avro version to 1.15.2

* fix: downgrade netty version to 4.1.100.Final

* fix: update netty version to 4.1.112.Final

* remove netty

---------

Co-authored-by: ConradJam <jam.gzczy@gmail.com>
(cherry picked from commit 50e8ece)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@czy006 czy006 czy006 approved these changes

Assignees

No one assigned

Labels

module:common module:mixed-spark Spark module for Mixed Format module:mixed-trino trino module for Mixed Format type:build

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xxubai @codecov-commenter @czy006