FYI, I'm backporting HADOOP-19315, Bump avro from 1.9.2 to 1.11.4 to branch-3.4
https://github.com/apache/hadoop/pull/7615# it means there's binary incompatibility with downstream apps using avro 1.9.2 *but the avro bug is so critical they need to stop doing that ASAP* Our release notes will have to highlight the change and explain its a choice between this an RCE CVE when opening files from malicious third parties
