paulteehan opened a new issue, #3967:
URL: https://github.com/apache/arrow-adbc/issues/3967
### What feature or improvement would you like to see?
Hello, our vulnerability scanner picked up the following from Python package
`adbc_driver_flightsql v1.10.0`. Would it be possible for you to make a new
release that bumps versions appropriately so that your packages can pass our
scans?
(You might remember this issue #3859 , and thank you for the resolution!
From what I can tell this is a distinct new batch of vulnerabilities)
```
usr/local/lib/python3.10/dist-packages/adbc_driver_flightsql/libadbc_driver_flightsql.so
(gobinary)
===================================================================================================
Total: 4 (HIGH: 3, CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │
Fixed Version │ Title
│
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-68121 │ CRITICAL │ fixed │ v1.25.5 │
1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the
underlying │
│ │ │ │ │ │
│ Config has ......
│
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2025-68121
│
│ ├────────────────┼──────────┤ │
├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-61726 │ HIGH │ │ │
1.24.12, 1.25.6 │ golang: net/url: Memory exhaustion in query
parameter │
│ │ │ │ │ │
│ parsing in net/url
│
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2025-61726
│
│ ├────────────────┤ │ │ │
├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-61728 │ │ │ │
│ golang: archive/zip: Excessive CPU consumption when
building │
│ │ │ │ │ │
│ archive index in archive/zip
│
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2025-61728
│
│ ├────────────────┤ │ │ │
├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-61730 │ │ │ │
│ During the TLS 1.3 handshake if multiple messages are
sent │
│ │ │ │ │ │
│ in records...
│
│ │ │ │ │ │
│ https://avd.aquasec.com/nvd/cve-2025-61730
│
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
