(amoro) branch master updated: [Hotfix] Bump parquet-avro to 1.15.2 to fix CVE (#3580)

xuba Thu, 29 May 2025 20:28:25 -0700

This is an automated email from the ASF dual-hosted git repository.

xuba pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/amoro.git



The following commit(s) were added to refs/heads/master by this push:
     new 50e8ece68 [Hotfix] Bump parquet-avro to 1.15.2 to fix CVE (#3580)
50e8ece68 is described below

commit 50e8ece68a7d2d3c4562fad24c0b175e70335345
Author: Xu Bai <[email protected]>
AuthorDate: Fri May 30 11:27:30 2025 +0800

    [Hotfix] Bump parquet-avro to 1.15.2 to fix CVE (#3580)
    
    * Fix CVE-2025-30065 and CVE-2025-24970
    
    * fix: add exclusion for parquet-hadoop dependency in pom.xml
    
    * fix: update expected value in TestKeyedTable to reflect correct data
    
    * fix: remove unused parquet dependencies and add TODO for future JDK 
upgrade
    
    * fix: update parquet-avro version to 1.15.2
    
    * fix: downgrade netty version to 4.1.100.Final
    
    * fix: update netty version to 4.1.112.Final
    
    * remove netty
    
    ---------
    
    Co-authored-by: ConradJam <[email protected]>
---
 amoro-common/pom.xml                                           |  5 +++++
 amoro-format-iceberg/pom.xml                                   |  5 -----
 .../amoro-mixed-spark/v3.2/amoro-mixed-spark-3.2/pom.xml       |  4 ++++
 .../amoro-mixed-spark/v3.3/amoro-mixed-spark-3.3/pom.xml       |  4 ++++
 .../amoro-mixed-spark/v3.5/amoro-mixed-spark-3.5/pom.xml       |  4 ++++
 .../test/java/org/apache/amoro/trino/mixed/TestKeyedTable.java |  2 +-
 pom.xml                                                        | 10 +++++++++-
 7 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/amoro-common/pom.xml b/amoro-common/pom.xml
index 74119b158..3075fd9ac 100644
--- a/amoro-common/pom.xml
+++ b/amoro-common/pom.xml
@@ -80,6 +80,11 @@
             <artifactId>parquet-avro</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.parquet</groupId>
+            <artifactId>parquet-jackson</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-auth</artifactId>
diff --git a/amoro-format-iceberg/pom.xml b/amoro-format-iceberg/pom.xml
index e5db7445f..1d9e9dd30 100644
--- a/amoro-format-iceberg/pom.xml
+++ b/amoro-format-iceberg/pom.xml
@@ -129,11 +129,6 @@
             </exclusions>
         </dependency>
 
-        <dependency>
-            <groupId>org.apache.parquet</groupId>
-            <artifactId>parquet-avro</artifactId>
-        </dependency>
-
         <dependency>
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-auth</artifactId>
diff --git 
a/amoro-format-mixed/amoro-mixed-spark/v3.2/amoro-mixed-spark-3.2/pom.xml 
b/amoro-format-mixed/amoro-mixed-spark/v3.2/amoro-mixed-spark-3.2/pom.xml
index f7bde90c3..8ef3cc0e4 100644
--- a/amoro-format-mixed/amoro-mixed-spark/v3.2/amoro-mixed-spark-3.2/pom.xml
+++ b/amoro-format-mixed/amoro-mixed-spark/v3.2/amoro-mixed-spark-3.2/pom.xml
@@ -255,6 +255,10 @@
                     <groupId>org.apache.parquet</groupId>
                     <artifactId>parquet-column</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.parquet</groupId>
+                    <artifactId>parquet-hadoop</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
diff --git 
a/amoro-format-mixed/amoro-mixed-spark/v3.3/amoro-mixed-spark-3.3/pom.xml 
b/amoro-format-mixed/amoro-mixed-spark/v3.3/amoro-mixed-spark-3.3/pom.xml
index c835f44fc..a1b3276fa 100644
--- a/amoro-format-mixed/amoro-mixed-spark/v3.3/amoro-mixed-spark-3.3/pom.xml
+++ b/amoro-format-mixed/amoro-mixed-spark/v3.3/amoro-mixed-spark-3.3/pom.xml
@@ -246,6 +246,10 @@
                     <groupId>org.apache.parquet</groupId>
                     <artifactId>parquet-column</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.parquet</groupId>
+                    <artifactId>parquet-hadoop</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
diff --git 
a/amoro-format-mixed/amoro-mixed-spark/v3.5/amoro-mixed-spark-3.5/pom.xml 
b/amoro-format-mixed/amoro-mixed-spark/v3.5/amoro-mixed-spark-3.5/pom.xml
index 3fc8fcb1b..cd696e32f 100644
--- a/amoro-format-mixed/amoro-mixed-spark/v3.5/amoro-mixed-spark-3.5/pom.xml
+++ b/amoro-format-mixed/amoro-mixed-spark/v3.5/amoro-mixed-spark-3.5/pom.xml
@@ -250,6 +250,10 @@
                     <groupId>org.apache.parquet</groupId>
                     <artifactId>parquet-column</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.parquet</groupId>
+                    <artifactId>parquet-hadoop</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
diff --git 
a/amoro-format-mixed/amoro-mixed-trino/src/test/java/org/apache/amoro/trino/mixed/TestKeyedTable.java
 
b/amoro-format-mixed/amoro-mixed-trino/src/test/java/org/apache/amoro/trino/mixed/TestKeyedTable.java
index a33f05ab2..1e5cc74db 100644
--- 
a/amoro-format-mixed/amoro-mixed-trino/src/test/java/org/apache/amoro/trino/mixed/TestKeyedTable.java
+++ 
b/amoro-format-mixed/amoro-mixed-trino/src/test/java/org/apache/amoro/trino/mixed/TestKeyedTable.java
@@ -62,7 +62,7 @@ public class TestKeyedTable extends 
TableTestBaseWithInitDataForTrino {
         .matches(
             "VALUES "
                 + "('id', NULL, NULL, 0e0, NULL, '1', '4'), "
-                + "('name$name', 429e0, NULL, 0e0, NULL, NULL, NULL), "
+                + "('name$name', 461e0, NULL, 0e0, NULL, NULL, NULL), "
                 + "('op_time', NULL, NULL, 0e0, NULL, '2022-01-01 
12:00:00.000000', '2022-01-04 12:00:00.000000'), "
                 + "(NULL, NULL, NULL, NULL, 4e0, NULL, NULL)");
   }
diff --git a/pom.xml b/pom.xml
index bde0125df..f98479380 100644
--- a/pom.xml
+++ b/pom.xml
@@ -118,7 +118,8 @@
         <cglib.version>2.2.2</cglib.version>
         <curator.version>5.7.0</curator.version>
         <mockito.version>4.11.0</mockito.version>
-        <parquet-avro.version>1.13.1</parquet-avro.version>
+        <parquet-jackson.version>1.13.1</parquet-jackson.version>
+        <parquet-avro.version>1.15.2</parquet-avro.version>
         <mysql-jdbc.version>8.0.33</mysql-jdbc.version>
         <orc-core.version>1.8.3</orc-core.version>
         <awssdk.version>2.24.12</awssdk.version>
@@ -373,6 +374,13 @@
                 <version>${parquet-avro.version}</version>
             </dependency>
 
+            <!-- TODO: Remove this parquet-jackson when upgrade JDK to 17 or 
higher -->
+            <dependency>
+                <groupId>org.apache.parquet</groupId>
+                <artifactId>parquet-jackson</artifactId>
+                <version>${parquet-jackson.version}</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.apache.hadoop</groupId>
                 <artifactId>hadoop-auth</artifactId>

(amoro) branch master updated: [Hotfix] Bump parquet-avro to 1.15.2 to fix CVE (#3580)

Reply via email to