[ANNOUNCEMENT] Apache Commons IO 2.14.0

2023-09-30 Thread Gary Gregory 
The Apache Commons team is pleased to announce the release of Apache
Commons IO 2.14.0.

Commons IO is a package of Java utility classes like java.io. Classes
in this package are considered to be so standard and of such high
reuse as to justify existence in java.io.

The Apache Commons IO library contains utility classes, stream
implementations, file filters, file comparators, endian transformation
classes, and much more.

Java 8 is required.

Historical list of changes:
https://commons.apache.org/proper/commons-io/changes-report.html

For complete information on Apache Commons IO, including instructions
on how to submit bug reports, patches, or suggestions for improvement,
see the Apache Commons IO website:

https://commons.apache.org/proper/commons-io/

Download page: https://commons.apache.org/proper/commons-io/download_io.cgi

Have fun!
Gary Gregory
- Apache Commons Team

[ANNOUNCE] Apache Arrow nanoarrow 0.3.0 Released

2023-09-30 Thread Dewey Dunnington 
The Apache Arrow community is pleased to announce the 0.3.0 release of
Apache Arrow nanoarrow. This release covers 42 resolved issues from 4
contributors[1].

The release is available now from [2].

Release notes are available at:
https://github.com/apache/arrow-nanoarrow/blob/apache-arrow-nanoarrow-0.3.0/CHANGELOG.md

What is Apache Arrow?
-
Apache Arrow is a columnar in-memory analytics layer designed to
accelerate big data. It houses a set of canonical in-memory
representations of flat and hierarchical data along with multiple
language-bindings for structure manipulation. It also provides
low-overhead streaming and batch messaging, zero-copy interprocess
communication (IPC), and vectorized in-memory analytics libraries.
Languages currently supported include C, C++, C#, Go, Java,
JavaScript, Julia, MATLAB, Python, R, Ruby, and Rust.

What is Apache Arrow nanoarrow?
--
Apache Arrow nanoarrow is a small C library for building and
interpreting Arrow C Data interface structures with bindings for users
of the R programming language. The vision of nanoarrow is that it
should be trivial for a library or application to implement an
Arrow-based interface. The library provides helpers to create types,
schemas, and metadata, an API for building arrays element-wise,
and an API to extract elements element-wise from an array. For a more
detailed description of the features nanoarrow provides and motivation
for its development, see [3].

Please report any feedback to the mailing lists ([4], [5]).

Regards,
The Apache Arrow Community

[1]: 
https://github.com/apache/arrow-nanoarrow/issues?q=is%3Aissue+milestone%3A%22nanoarrow+0.3.0%22+is%3Aclosed
[2]: https://www.apache.org/dyn/closer.cgi/arrow/apache-arrow-nanoarrow-0.3.0
[3]: https://github.com/apache/arrow-nanoarrow
[4]: https://lists.apache.org/list.html?u...@arrow.apache.org
[5]: https://lists.apache.org/list.html?d...@arrow.apache.org

CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK

2023-09-30 Thread Ryan Skraba 
Severity: low

Affected versions:

- Apache Avro Java SDK before 1.11.3

Description:

When deserializing untrusted or corrupted data, it is possible for a reader to 
consume memory beyond the allowed constraints and thus lead to out of memory on 
the system.

This issue affects Java applications using Apache Avro Java SDK up to and 
including 1.11.2.  Users should update to apache-avro version 1.11.3 which 
addresses this issue.

This issue is being tracked as AVRO-3819 

Credit:

Adam Korczynski at ADA Logics Ltd (finder)

References:

https://avro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-39410
https://issues.apache.org/jira/browse/AVRO-3819