This is an automated email from the ASF dual-hosted git repository.
apitrou pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow-site.git
The following commit(s) were added to refs/heads/main by this push:
new c00062bb6e4 GH-754: Remove incomplete, manually-maintained CVE list
(#764)
c00062bb6e4 is described below
commit c00062bb6e4465c77e1553d5862a14d3c6e1dbb9
Author: Antoine Pitrou <[email protected]>
AuthorDate: Mon Mar 2 15:16:51 2026 +0100
GH-754: Remove incomplete, manually-maintained CVE list (#764)
---
security.md | 46 +++++++---------------------------------------
1 file changed, 7 insertions(+), 39 deletions(-)
diff --git a/security.md b/security.md
index 7c2a4de5f62..45b2a6f3d65 100644
--- a/security.md
+++ b/security.md
@@ -20,44 +20,12 @@ outlined by the Apache Software Foundation. We will assess
your report, follow
up with our evaluation of the issue, and fix it as soon as possible if we deem
it to be an actual security vulnerability.
-<hr class="my-5">
+# Published Security Issues
-### [CVE-2023-47248](https://www.cve.org/CVERecord?id=CVE-2023-47248):
Arbitrary code execution when loading a malicious data file in PyArrow
+For security advisories published since 2023, please refer to
+[this page](https://security.apache.org/projects/arrow/) maintained by the
Apache
+Security Team.
-**Severity**: Critical
-
-**Vendor**: The Apache Software Foundation
-
-**Versions affected**: 0.14.0 to 14.0.0
-
-**Description**: Deserialization of untrusted data in IPC and Parquet readers
-in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution.
-An application is vulnerable if it reads Arrow IPC, Feather or Parquet data
-from untrusted sources (for example user-supplied input files).
-
-**Mitigation**: Upgrade to version 14.0.1 or greater. If not possible, use the
-provided [hotfix package](https://pypi.org/project/pyarrow-hotfix/).
-
-### [CVE-2019-12408](https://www.cve.org/CVERecord?id=CVE-2019-12408):
Uninitialized Memory in C++ ArrayBuilder
-
-**Severity**: High
-
-**Vendor**: The Apache Software Foundation
-
-**Versions affected**: 0.14.x
-
-**Description**: It was discovered that the C++ implementation (which
underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to
0.14.1 had a uninitialized memory bug when building arrays with null values in
some cases. This can lead to uninitialized memory being unintentionally shared
if Arrow Arrays are transmitted over the wire (for instance with Flight) or
persisted in the streaming IPC and file formats.
-
-**Mitigation**: Upgrade to version 0.15.1 or greater.
-
-### [CVE-2019-12410](https://www.cve.org/CVERecord?id=CVE-2019-12410):
Uninitialized Memory in C++ Reading from Parquet
-
-**Severity**: High
-
-**Vendor**: The Apache Software Foundation
-
-**Versions affected**: 0.12.0 - 0.14.1
-
-**Description**: While investigating UBSAN errors in
[ARROW-6549](https://github.com/apache/arrow/pull/5365) it was discovered
Apache Arrow versions 0.12.0 to 0.14.1 left memory Array data uninitialized
when reading RLE null data from parquet. This affected the C++, Python, Ruby,
and R implementations. The uninitialized memory could potentially be shared if
are transmitted over the wire (for instance with Flight) or persisted in the
streaming IPC and file formats.
-
-**Mitigation**: Upgrade to version 0.15.1 or greater.
+For security advisories published before 2023, one can use
+[a targeted search
query](https://www.cve.org/CVERecord/SearchResults?query=%22Apache+Software+Foundation%22+%22arrow%22)
+on the CVE website.
