jichen created IMPALA-14579:
-------------------------------
Summary: Bump up paimon version to 1.3.1 to fix to CVE-2025-46762
Key: IMPALA-14579
URL: https://issues.apache.org/jira/browse/IMPALA-14579
Project: IMPALA
Issue Type: Sub-task
Reporter: jichen
*CVE-2025-46762:*
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous
versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a
fix to restrict untrusted packages, the default setting of trusted packages
still allows malicious classes from these packages to be executed. The exploit
is only applicable if the client code of parquet-avro uses the "specific" or
the "reflect" models deliberately for reading Parquet files. ("generic" model
is not impacted)
Following PR [parquet] Bump parquet version to 1.15.2 (#6363)
has been merged since paimon-1.3.0
so in impala, need to upgrade paimon version to 1.3.0 or later to fix the CVE
as well.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
