[ANNOUNCE] Call for Presentations now open: Community over Code EU 2024
It's back *and* it's new! We're excited to announce that the first edition of Community over Code Europe (formerly known as ApacheCon EU) which will be held at the Radisson Blu Carlton Hotel in Bratislava, Slovakia from June 03-05, 2024! This eagerly anticipated event will be our first live EU conference since 2019. The Call for Presentations (CFP) for Community Over Code EU 2024 is now open at https://eu.communityovercode.org/blog/cfp-open/, and will close 2024/01/12 23:59:59 GMT. We welcome submissions on any topic related to the Apache Software Foundation, Apache projects, or the communities around those projects. We are specifically looking for presentations in the following categories: * API & Microservices * Big Data Compute * Big Data Storage * Cassandra * CloudStack * Community * Data Engineering * Fintech * Groovy * Incubator * IoT * Performance Engineering * Search * Tomcat, Httpd and other servers Additionally, we are thrilled to introduce a new feature this year: a poster session. This addition will provide an excellent platform for showcasing high-level projects and incubator initiatives in a visually engaging manner. We believe this will foster lively discussions and facilitate networking opportunities among participants. All my best, and thanks so much for your participation, Ryan Skraba (on behalf of the program committee) [Countdown]: https://www.timeanddate.com/countdown/to?iso=20240112T2359&p0=1440
CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
Severity: low Affected versions: - Apache Avro Java SDK before 1.11.3 Description: When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue. This issue is being tracked as AVRO-3819 Credit: Adam Korczynski at ADA Logics Ltd (finder) References: https://avro.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-39410 https://issues.apache.org/jira/browse/AVRO-3819
[ANNOUNCE] Apache Avro 1.11.3 released
The Apache Avro community is pleased to announce the release of Avro 1.11.3! All signed release artifacts, signatures and verification instructions can be found here: https://avro.apache.org/releases.html This is a minor release, specifically addressing known issues with the 1.11.2 release, but also contains version bumps and doc fixes. The link to all fixed JIRA issues and a brief summary can be found at: https://github.com/apache/avro/releases/tag/release-1.11.3 In addition, language-specific release artifacts are available: * C#: https://www.nuget.org/packages/Apache.Avro/1.11.3 * Java: https://repo1.maven.org/maven2/org/apache/avro/avro/1.11.3/ * Javascript: https://www.npmjs.com/package/avro-js/v/1.11.3 * Perl: https://metacpan.org/release/Avro * Python 3: https://pypi.org/project/avro/1.11.3 * Ruby: https://rubygems.org/gems/avro/versions/1.11.3 * Rust: https://crates.io/crates/apache-avro/0.16.0 Thanks to everyone for contributing! Ryan
[ANNOUNCE] Call for Tracks - Community over Code EU 2024 Bratislava
It's back *and* it's new! We're excited to announce that the first edition of Community over Code Europe (formerly known as ApacheCon EU) will be held at the Radisson Blu Carlton Hotel in Bratislava, Slovenia from June 03-05, 2024! This eagerly anticipated event will be our first live EU conference since 2019. We are eager to craft an exceptional experience for all attendees, and we're looking for your help. As we plan the schedule of sessions, we are seeking input on what tracks to host for this year's live event. Please note: this event is smaller in both time and space than Community over Code NA, and we'll need to be judicious in selecting a program with something for everyone. There will be approximately 90 slots available for presentations. To kickstart this process, we are issuing a general Call for Tracks. If you have a compelling proposal for a track at Community over Code EU 2024, please respond to this email with the following information: * To: plann...@apachecon.com * Subject: [EU Tracks] - {name of track} * Short description of the track * Track lead name(s) * Expected number of sessions for your track * Optional: ASF Projects that might be interested in contributing presentations for your track Track leads are responsible for promoting the CFP for their tracks, selecting presentations and working as part of the program committee to coordinate the schedule. Given the constraints, it's likely that we will need to merge tracks and adjust the number of sessions per track. Your help in making these decisions is highly valued; please don't hesitate to join the discussion on plann...@apachecon.com. Track selection will be based on: * Past attendance and interest * Track lead experience and expertise * Relevance to new technologies and approaches Please have this information to plann...@apachecon.com[1] by 2023/09/05 at 23h59 UTC, so we can begin the selection! Additionally, we are thrilled to introduce a new feature this year: a poster session. This addition will provide an excellent platform for showcasing high-level projects and incubator initiatives in a visually engaging manner. We believe this will foster lively discussions and facilitate networking opportunities among participants. All my best, and thanks so much for your participation, Ryan Skraba (on behalf of the program committee) [1]: https://events.apache.org/involved/mailing-lists.html "Apache Conferences and Events Mailing Lists"
[ANNOUNCE] Apache Avro 1.11.2 released
The Apache Avro community is pleased to announce the release of Avro 1.11.2! All signed release artifacts, signatures and verification instructions can be found here: https://avro.apache.org/releases.html This release addresses ~89 Avro JIRA, including some interesting highlights: C# - AVRO-3434: Support logical schemas in reflect reader and writer - AVRO-3670: Add NET 7.0 support - AVRO-3724: Fix C# JsonEncoder for nested array of records - AVRO-3756: Add a method to return types instead of writing them to disk C++ - AVRO-3601: C++ API header contains breaking include - AVRO-3705: C++17 support Java - AVRO-2943: Add new GenericData String/Utf8 ARRAY comparison test - AVRO-2943: improve GenericRecord MAP type comparison - AVRO-3473: Use ServiceLoader to discover Conversion - AVRO-3536: Inherit conversions for Union type - AVRO-3597: Allow custom readers to override string creation - AVRO-3560: Throw SchemaParseException on dangling content beyond end of schema - AVRO-3602: Support Map(with non-String keys) and Set in ReflectDatumReader - AVRO-3676: Produce valid toString() for UUID JSON - AVRO-3698: SpecificData.getClassName must replace reserved words - AVRO-3700: Publish Java SBOM artifacts with CycloneDX - AVRO-3783: Read LONG length for bytes, only allow INT sizes - AVRO-3706: accept space in folder name Python - AVRO-3761: Fix broken validation of nullable UUID field - AVRO-3229: Raise on invalid enum default only if validation enabled - AVRO-3622: Fix compatibility check for schemas having or missing namespace - AVRO-3669: Add py.typed marker file (PEP561 compliance) - AVRO-3672: Add CI testing for Python 3.11 - AVRO-3680: allow to disable name validation Ruby - AVRO-3775: Fix decoded default value of logical type - AVRO-3697: Test against Ruby 3.2 - AVRO-3722: Eagerly initialize instance variables for better inline cache hits Rust - Many, many bug fixes and implementation progress in this experimental SDK. - Rust CI builds and lints are passing, and has been released to crates.io as version 0.15.0 In addition: - Upgrade dependencies to latest versions, including CVE fixes. - Testing and build improvements. - Performance fixes, other bug fixes, better documentation and more... The link to all fixed JIRA issues and a brief summary can be found at: https://github.com/apache/avro/releases/tag/release-1.11.2 In addition, language-specific release artifacts are available: * C#: https://www.nuget.org/packages/Apache.Avro/1.11.2 * Java: https://repo1.maven.org/maven2/org/apache/avro/avro/1.11.2/ * Javascript: https://www.npmjs.com/package/avro-js/v/1.11.2 * Perl: https://metacpan.org/release/Avro * Python 3: https://pypi.org/project/avro/1.11.2 * Ruby: https://rubygems.org/gems/avro/versions/1.11.2 * Rust: https://crates.io/crates/apache-avro/0.15.0 **Important**: a known issue has been discovered after the release that may affect the Java SDK when using the MAP type. - AVRO-3789 [Java]: Problem when comparing empty MAP types. Thanks to everyone for contributing!
CVE-2022-35724: Apache Avro: Denial of service while reading data in Avro Rust SDK
Severity: important Description: It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue. Credit: This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure and found with Mayhem.
CVE-2022-36124: Apache Avro: Memory overconsumption in Avro Rust SDK
Severity: moderate Description: It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue. Credit: This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure and found with Mayhem.
CVE-2022-36125: Apache Avro: Integer overflow when reading corrupted .avro file in Avro Rust SDK
Severity: important Description: It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue. Credit: This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure and found with Mayhem.
[ANNOUNCE] Apache Avro 1.11.1 released
The Apache Avro community is pleased to announce the release of Avro 1.11.0! All signed release artifacts, signatures and verification instructions can be found here: https://avro.apache.org/releases.html This release includes ~250 Jira issues, including some interesting features: Some interesting highlights: Avro specification - [AVRO-3436] Clarify which names are allowed to be qualified with namespaces - [AVRO-3370] Inconsistent behaviour on types as invalid names - [AVRO-3275] Clarify how fullnames are created, with example - [AVRO-3257] IDL: add syntax to create optional fields - [AVRO-2019] Improve docs for logical type annotation C++ - [AVRO-2722] Use of boost::mt19937 is not thread safe C# - [AVRO-3383] Many completed subtasks for modernizing C# coding style - [AVRO-3481] Input and output variable type mismatch - [AVRO-3475] Enforce time-millis and time-micros specification - [AVRO-3469] Build and test using .NET SDK 7.0 - [AVRO-3468] Default values for logical types not supported - [AVRO-3467] Use oracle-actions to test with Early Access JDKs - [AVRO-3453] Avrogen Add Generated Code Attribute - [AVRO-3432] Add command line option to skip creation of directories based on namespace path - [AVRO-3411] Add Visual Studio Code Devcontainer support - [AVRO-3388] Implement extra codecs for C# as seperate nuget packages - [AVRO-3265] avrogen generates uncompilable code when namespace ends with ".Avro" - [AVRO-3219] Support nullable enum type fields Java - [AVRO-3531] GenericDatumReader in multithread lead to infinite loop - [AVRO-3482] Reuse MAGIC in DataFileReader - [AVRO-3586] Make Avro Build Reproducible - [AVRO-3441] Automatically register LogicalTypeFactory classes - [AVRO-3375] Add union branch, array index and map key "path" information to serialization errors - [AVRO-3374] Fully qualified type reference "ns.int" loses namespace - [AVRO-3294] IDL parsing allows doc comments in strange places - [AVRO-3273] avro-maven-plugin breaks on old versions of Maven - [AVRO-3266] Output stream incompatible with MagicS3GuardCommitter - [AVRO-3243] Lock conflicts when using computeIfAbsent - [AVRO-3120] Support Next Java LTS (Java 17) - [AVRO-2498] UUID generation is not working Javascript - [AVRO-3489] Replace istanbul with nyc for code coverage - [AVRO-3322] Buffer is not defined in browser environment - [AVRO-3084] Fix JavaScript interop test to read files generated by other languages on CI Perl - [AVRO-3263] Schema validation warning on invalid schema with a long field Python - [AVRO-3542] Scale assignment optimization - [AVRO-3521] "Scale" property from decimal object - [AVRO-3380] Byte reading in avro.io does not assert read bytes to requested nbytes - [AVRO-3229] validate the default value of an enum field - [AVRO-3218] Pass LogicalType to BytesDecimalSchema Ruby - [AVRO-3277] Test against Ruby 3.1 Rust - [AVRO-3558] Add a demo crate that shows usage as WebAssembly - [AVRO-3526] Improve resolving Bytes and Fixed from string - [AVRO-3506] Implement Single Object Writer - [AVRO-3507] Implement Single Object Reader - [AVRO-3405] Add API for user-provided metadata to file - [AVRO-3339] Rename crate from avro-rs to apache-avro - [AVRO-3479] Derive Avro Schema macro Website - [AVRO-2175] Website refactor - [AVRO-3450] Document IDL support in IDEs This is the first release that provides the Rust apache-avro crate at crates.io! And of course upgraded dependencies to latest versions, CVE fixes and more https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.1 The link to all fixed JIRA issues and a brief summary can be found at: https://github.com/apache/avro/releases/tag/release-1.11.1 In addition, language-specific release artifacts are available: * C#: https://www.nuget.org/packages/Apache.Avro/1.11.1 * Java: from Maven Central, * Javascript: https://www.npmjs.com/package/avro-js/v/1.11.1 * Perl: https://metacpan.org/release/Avro * Python 3: https://pypi.org/project/avro/1.11.1/ * Ruby: https://rubygems.org/gems/avro/versions/1.11.1 * Rust: https://crates.io/crates/apache-avro/0.14.0 Thanks to everyone for contributing!
CVE-2021-43045: Apache Avro: Possible DOS vulnerabilities in C# Avro SDK
Description: A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue. This issue is being tracked as AVRO-3225,AVRO-3226 Credit: Apache Avro would like to thank Philip Sanetra for reporting this issue.
[ANNOUNCE] Apache Avro 1.11.0 released
The Apache Avro community is pleased to announce the release of Avro 1.11.0! All signed release artifacts, signatures and verification instructions can be found here: https://avro.apache.org/releases.html This release includes 120 Jira issues, including some interesting features: Specification: AVRO-3212 Support documentation tags for FIXED types C#: AVRO-2961 Support dotnet framework 5.0 C#: AVRO-3225 Prevent memory errors when deserializing untrusted data C++: AVRO-2923 Logical type corrections Java: AVRO-2863 Support Avro core on android Javascript: AVRO-3131 Drop support for node.js 10 Perl: AVRO-3190 Fix error when reading from EOF Python: AVRO-2906 Improved performance validating deep record data Python: AVRO-2914 Drop Python 2 support Python: AVRO-3004 Drop Python 3.5 support Ruby: AVRO-3108 Drop Ruby 2.5 support For the first time, the 1.11.0 release includes experimental support for Rust. Work is continuing on this donated SDK, but we have not versioned and published official artifacts for this release. Python: The avro package fully supports Python 3. We will no longer publish a separate avro-python3 package And of course upgraded dependencies to latest versions, CVE fixes and more: https://issues.apache.org/jira/issues/?jql=project%3DAVRO%20AND%20fixVersion%3D1.11.0 The link to all fixed JIRA issues and a brief summary can be found at: https://github.com/apache/avro/releases/tag/release-1.11.0 In addition, language-specific release artifacts are available: * C#: https://www.nuget.org/packages/Apache.Avro/1.11.0 * Java: from Maven Central, * Javascript: https://www.npmjs.com/package/avro-js/v/1.11.0 * Perl: https://metacpan.org/release/Avro * Python 3: https://pypi.org/project/avro/1.11.0 * Ruby: https://rubygems.org/gems/avro/versions/1.11.0 Thanks to everyone for contributing!
[ANNOUNCE] Apache Avro 1.10.2 released
The Apache Avro community is pleased to announce the release of Avro 1.10.2! All signed release artifacts, signatures and verification instructions can be found here: https://avro.apache.org/releases.html This release includes 31 Jira issues, including some interesting features: C#: AVRO-3005 Support for large strings C++: AVRO-3031 Fix for reserved keywords in generated code Java: AVRO-2471 Fix for timestamp-micros in generated code Java: AVRO-3060 Support ZSTD level and bufferpool options Ruby: AVRO-2998 Records with symbol keys validation Ruby: AVRO-3023 Validate with Ruby 3 Migration notes: Python: AVRO-2656 The standard avro package supports Python 3, and the avro-python3 package is in the process of being deprecated. And of course upgraded dependencies to latest versions, CVE fixes and more: https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.10.2 The link to all fixed JIRA issues and a brief summary can be found at: https://github.com/apache/avro/releases/tag/release-1.10.2 In addition, language-specific release artifacts are available: * C#: https://www.nuget.org/packages/Apache.Avro/1.10.2 * Java: from Maven Central, * Javascript: https://www.npmjs.com/package/avro-js/v/1.10.2 * Perl: https://metacpan.org/release/Avro * Python 3: https://pypi.org/project/avro/1.10.2/ * Ruby: https://rubygems.org/gems/avro/versions/1.10.2 Thanks to everyone for contributing!
[ANNOUNCE] Apache Avro 1.10.1 released
The Apache Avro community is pleased to announce the release of Avro 1.10.1! All signed release artifacts, signatures and verification instructions can be found here: https://avro.apache.org/releases.html This release includes 33 Jira issues, including some interesting features: C#: AVRO-2750 Support for enum defaults C++: AVRO-2891 Expose last sync offset written on DataFileWriter Java: AVRO-2924 SpecificCompiler add 'LocalDateTime' logical type Java: AVRO-2937 Expose some missing flags in SpecificCompilerTool PHP: AVRO-2096 Fixes to missing functions Ruby: AVRO-2907 Ruby schema.single_object_schema_fingerprint is reversed Migration notes: Java: AVRO-2817 Turn off validateDefaults when reading legacy Avro files Python: AVRO-2656 avro-python package is now the preferred python3 library and avro-python3 is prepared to be deprecated And of course upgraded dependencies to latest versions, CVE fixes and more: https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.10.1 The link to all fixed JIRA issues and a brief summary can be found at: https://github.com/apache/avro/releases/tag/release-1.10.1 In addition, language-specific release artifacts are available: * C#: https://www.nuget.org/packages/Apache.Avro/1.10.1 * Java: from Maven Central, * Javascript: https://www.npmjs.com/package/avro-js/v/1.10.1 * Python 2: https://pypi.org/project/avro/1.10.1/ * Python 3: https://pypi.org/project/avro-python3/1.10.1/ * Ruby: https://rubygems.org/gems/avro/versions/1.10.1 Thanks to everyone for contributing!
[ANNOUNCE] Apache Avro 1.10.0 released
The Apache Avro community is pleased to announce the release of Avro 1.10.1! All signed release artifacts, signatures and verification instructions can be found here: https://avro.apache.org/releases.html This release includes 33 Jira issues, including some interesting features: C#: AVRO-2750 Support for enum defaults C++: AVRO-2891 Expose last sync offset written on DataFileWriter Java: AVRO-2924 SpecificCompiler add 'LocalDateTime' logical type Java: AVRO-2937 Expose some missing flags in SpecificCompilerTool PHP: AVRO-2096 Fixes to missing functions Ruby: AVRO-2907 Ruby schema.single_object_schema_fingerprint is reversed Migration notes: Java: AVRO-2817 Turn off validateDefaults when reading legacy Avro files Python: AVRO-2656 avro-python package is now the preferred python3 library and avro-python3 is prepared to be deprecated And of course upgraded dependencies to latest versions, CVE fixes and more: https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.10.1 The link to all fixed JIRA issues and a brief summary can be found at: https://github.com/apache/avro/releases/tag/release-1.10.1 In addition, language-specific release artifacts are available: * C#: https://www.nuget.org/packages/Apache.Avro/1.10.1 * Java: from Maven Central, * Javascript: https://www.npmjs.com/package/avro-js/v/1.10.1 * Python 2: https://pypi.org/project/avro/1.10.1/ * Python 3: https://pypi.org/project/avro-python3/1.10.1/ * Ruby: https://rubygems.org/gems/avro/versions/1.10.1 Thanks to everyone for contributing!
[ANNOUNCE] Apache Avro 1.9.2 released
The Apache Avro community is pleased to announce the release of Avro 1.9.2! All signed release artifacts, signatures and verification instructions can be found here: * https://www.apache.org/dyn/closer.cgi/avro/ * The keys used to sign the release: https://dist.apache.org/repos/dist/release/avro/KEYS This release includes 73 Jira issues, including bug fixes: * C#: AVRO-2606 handle multidimensional arrays of custom types * Java: AVRO-2592 Avro decimal fails on some conditions * Java: AVRO-2641 Generated code results in java.lang.ClassCastException * Java: AVRO-2663 Projection on nested records does not work * Python: AVRO-2429 unknown logical types should fall back Improvements: * Java: AVRO-2247 Improve Java reading performance with a new reader * Python: AVRO-2104 Schema normalisation and fingerprint support for Python 3 Work to unify Python2 and Python3 APIs in preparation for sunset. Improved tests Improved, more reliable builds. Improved readability Upgraded dependencies to latest versions, including CVE fixes. And more... The link to all fixed JIRA issues and a brief summary can be found at: https://github.com/apache/avro/releases/tag/release-1.9.2 In addition, language-specific release artifacts are available: * C#: https://www.nuget.org/packages/Apache.Avro/1.9.2 * Java: from Maven Central, * Javascript: https://www.npmjs.com/package/avro-js/v/1.9.2 * Python 2: https://pypi.org/project/avro/1.9.2/ * Python 3: https://pypi.org/project/avro-python3/1.9.2.1/ - See https://issues.apache.org/jira/browse/AVRO-2737 * Ruby: https://rubygems.org/gems/avro/versions/1.9.2 Thanks to everyone for contributing! Ryan Skraba