[
https://issues.apache.org/jira/browse/HUDI-9265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17941730#comment-17941730
]
sivabalan narayanan commented on HUDI-9265:
-------------------------------------------
We do pull in the parquet-avro library w/ "compile" scope in most of our
bundles.
!image-2025-04-07-15-56-52-710.png!
Including the spark, utilities and flink library which are used for writing.
spark3 -> 1.13.1
spark3.3 -> 1.12.2
spark3.4 -> 1.12.3
spark3.5 -> 1.13.1
flink 1.20, 1.19, 1.18 -> 1.13.1
flink 1.17, 1.16, 1.15 -> 1.12.2
flink 1.14 -> 1.11.1
> Fix parquet-avro vulenerability which is being pulled into our bundles
> ----------------------------------------------------------------------
>
> Key: HUDI-9265
> URL: https://issues.apache.org/jira/browse/HUDI-9265
> Project: Apache Hudi
> Issue Type: Improvement
> Components: dev-experience, reader-core, writer-core
> Reporter: sivabalan narayanan
> Assignee: sivabalan narayanan
> Priority: Blocker
> Fix For: 1.0.2
>
> Attachments: image-2025-04-07-15-56-52-710.png
>
>
> [https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/]
>
>
> This impacts the parquet version used in hudi hundles.
> Vulenerability has been fixed in
> org.apache.parquet:parquet-avro version 1.15.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
