[
https://issues.apache.org/jira/browse/SPARK-51795?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17982760#comment-17982760
]
David Beaudet commented on SPARK-51795:
---------------------------------------
This showed up on a security scan today. Would be great to avoid having to
submit waivers for this to our security team if a patch will be released soon.
I read the PR review and understand there's likely no actual risk. It's more a
matter of reducing friction for DEVs.
> Upgrade critical parquet CVE
> ----------------------------
>
> Key: SPARK-51795
> URL: https://issues.apache.org/jira/browse/SPARK-51795
> Project: Spark
> Issue Type: Improvement
> Components: Spark Core
> Affects Versions: 3.5.5
> Reporter: Jonathan Hart
> Priority: Major
> Labels: CVE, pull-request-available
>
> The parquet version (1.13.1) used by Spark 3.5.5 contains a major CVE
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30065 that allows
> remote code execution. It is recommended to upgrade to parquet versions >
> 1.15.1.
> The latest v4.0.0-rc4 has been updated to the latest parquet version, but
> ideally it should be backported to the 3.5.x branch.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
