[
https://issues.apache.org/jira/browse/IMPALA-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
jichen updated IMPALA-14579:
----------------------------
Summary: Bump up paimon version to 1.3.1 for CVE-2025-46762 (was: Bump up
paimon version to 1.3.1 to fix to CVE-2025-46762)
> Bump up paimon version to 1.3.1 for CVE-2025-46762
> --------------------------------------------------
>
> Key: IMPALA-14579
> URL: https://issues.apache.org/jira/browse/IMPALA-14579
> Project: IMPALA
> Issue Type: Sub-task
> Reporter: jichen
> Assignee: jichen
> Priority: Minor
>
> *CVE-2025-46762:*
> Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and
> previous versions allows bad actors to execute arbitrary code. While 1.15.1
> introduced a fix to restrict untrusted packages, the default setting of
> trusted packages still allows malicious classes from these packages to be
> executed. The exploit is only applicable if the client code of parquet-avro
> uses the "specific" or the "reflect" models deliberately for reading Parquet
> files. ("generic" model is not impacted)
> Following PR [parquet] Bump parquet version to 1.15.2 (#6363)
> has been merged since paimon-1.3.0
> so in impala, need to upgrade paimon version to 1.3.0 or later to fix the CVE
> as well.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
