tlopesPT opened a new issue, #3387: URL: https://github.com/apache/parquet-java/issues/3387
A vulnerability (medium or high depending on source) has been published affecting all versions of aircompressor except 3.4. https://www.cve.org/CVERecord?id=CVE-2025-67721 [Parquet-hadoop 1.16.0 uses 2.0.2](https://github.com/apache/parquet-java/blob/f62b2c058a8eded070cf5be87b3406f763a172b6/parquet-hadoop/pom.xml#L147) which is the latest release on that location, since the next major was released under aircompressor-v3 https://mvnrepository.com/artifact/io.airlift/aircompressor https://mvnrepository.com/artifact/io.airlift/aircompressor-v3 There's an open PR to backport the CVE fix to a potential 2.0.3 but it's unclear if this will be picked up https://github.com/airlift/aircompressor/pull/309. Are there plans to migrate to aircompressor-v3? Or any information if parquet-hadoop is unaffected by this vulnerability? Best regards, Tiago -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
