[
https://issues.apache.org/jira/browse/CALCITE-7097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18007608#comment-18007608
]
Mihai Budiu commented on CALCITE-7097:
--------------------------------------
Is the PR enough to resolve the issue, or do we need to upgrade avatica too?
> Update commons-lang3 to 3.18.0 to address CVE-2025-48924
> --------------------------------------------------------
>
> Key: CALCITE-7097
> URL: https://issues.apache.org/jira/browse/CALCITE-7097
> Project: Calcite
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.40.0
> Reporter: Niels Pardon
> Assignee: Niels Pardon
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.41.0
>
>
> CVE-2025-48924 affects any versions of commons-lang before 3.18.0 including
> 2.x
> calcite-core currently directly uses both commons-lang 2.x and commons-lang3
> 3.13.0
> additionally calcite-core depends on net.hydromatic:aggdesigner-algorithm:6.0
> which pulls in commons-lang 2.x which has been changed to use commons-lang3
> but not released yet and not upgraded to 3.18.0
> https://github.com/julianhyde/aggdesigner/issues/3
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
