Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump avro, fix CVE-2024-47561 #32770

Merged
merged 4 commits into from
Nov 18, 2024
Merged

Bump avro, fix CVE-2024-47561 #32770

merged 4 commits into from
Nov 18, 2024

Conversation

damccorm
Copy link
Contributor

@damccorm damccorm commented Oct 14, 2024

Fixes #33144


Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

  • Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
  • Update CHANGES.md with noteworthy changes.
  • If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

Build python source distribution and wheels
Python tests
Java tests
Go tests

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

@damccorm
Copy link
Contributor Author

damccorm commented Nov 18, 2024

May go with #33159 depending on how that goes. Update - can't go to 1.12.0 because of Java compatability issues

@damccorm damccorm marked this pull request as ready for review November 18, 2024 21:58
@damccorm
Copy link
Contributor Author

R: @Abacn

Copy link
Contributor

Stopping reviewer notifications for this pull request: review requested by someone other than the bot, ceding control. If you'd like to restart, comment assign set of reviewers

@damccorm damccorm merged commit 3b759f2 into master Nov 18, 2024
24 checks passed
@damccorm damccorm deleted the users/damccorm/avroBump branch November 18, 2024 23:41
@Abacn
Copy link
Contributor

Abacn commented Dec 10, 2024

I found the fix isn't effective, due to a logic in BeamModulePlugin here:

def librariesWithVersion = project.library.java.values().findAll { it.split(':').size() > 2 }

which we get

        force "org.apache.avro:avro:1.11.4"
        force "org.apache.avro:avro:1.11.3:tests"

and one always get avro:1.11.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Task]: Upgrade Avro to 1.11.4 to fix CVE-2024-47561
2 participants