[jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543

Krisztian Szucs (Jira) Thu, 24 Oct 2019 09:33:23 -0700


     [ 
https://issues.apache.org/jira/browse/ARROW-6984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Krisztian Szucs reassigned ARROW-6984:
--------------------------------------

    Assignee: Krisztian Szucs

> [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
> --------------------------------------------
>
>                 Key: ARROW-6984
>                 URL: https://issues.apache.org/jira/browse/ARROW-6984
>             Project: Apache Arrow
>          Issue Type: Wish
>          Components: C++
>    Affects Versions: 0.15.0
>            Reporter: Sangeeth Keeriyadath
>            Assignee: Krisztian Szucs
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 0.15.1
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> There is a reported CVE that LZ4 before 1.9.2 has a heap-based buffer 
> overflow in LZ4_write32 (More details in here - 
> [https://nvd.nist.gov/vuln/detail/CVE-2019-17543] ). I see that Apache Arrow 
> uses *v1.8.3* version ( 
> [https://github.com/apache/arrow/blob/47e5ecafa72b70112a64a1174b29b9db45f803ef/cpp/thirdparty/versions.txt#L38]
>  ).
> We need to bump up the dependency version of LZ4 to *1.9.2* to get past the 
> reported CVE. Thank you!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543

Reply via email to