Hi, It is required to shade the thrift library into paquet-format-structures because we use thrift to serialize/deserialize the metadata structures in the parquet files. So, you really don't have any way to change it at runtime. If it is urgent you may build your parquet-mr on your own with an upgraded thrift version. (The upgrade to 0.14.1 is already in master. See PARQUET-2005 for details.) It is unfortunate that we missed (or was not able) to upgrade the thrift library for the 1.12.0 release.
I think there are no big risks to do a thrift upgrade in a bugfix release (1.12.1) but I would like to hear opinions from the community. I cannot say any ETA for this release but there are other jiras in the queue already. Cheers, Gabor On Mon, Aug 16, 2021 at 7:21 PM huhaiyang (C) <[email protected]> wrote: > Hi all, > To whom it may concerned, when I introduce Parquet-format-structure > package in my project, there is a problem I have to deal with. > It was a vulnerability of shaded component libthrift 0.13.0 found in the > latest release version 1.12.0, which the CVE No. is CVE-2020-13949. It > disturbed me so much that I have no idea how to avoid this vulnerability as > there is no bug-fixed version since Mar 25. > Now I am sincerely asking you when the new version will be available or is > there a solution to handle the vulnerability. >
