Ranga Reddy created HUDI-9763:
---------------------------------
Summary: Upgrade parquet-avro version in Presto bundle
Key: HUDI-9763
URL: https://issues.apache.org/jira/browse/HUDI-9763
Project: Apache Hudi
Issue Type: Bug
Components: trino-presto
Reporter: Ranga Reddy
Fix For: 1.1.0
The last published [hudi-presto-bundle,
1.0.2|https://mvnrepository.com/artifact/org.apache.hudi/hudi-presto-bundle/1.0.2],
is using parquet-avro version {{1.13.1}}
This unfortunately has two rather bothersome CVEs -
# [CVE-2025-46762|https://github.com/advisories/GHSA-53wx-pr6q-m3j5], score
7.1/10 - Apache Parquet Java: Potential malicious code execution from trusted
packages in the parquet-avro module when reading an Avro schema from a Parquet
file metadata
# [CVE-2025-30065|https://github.com/advisories/GHSA-2c59-37c4-qrx5], score
10/10 - Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution
Upgrading to parquet-avro {{1.15.2}} should fix these
Reference Hudi Issue - https://github.com/apache/hudi/issues/13308
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
