You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@parquet.apache.org by "huhaiyang (C)" <hu...@huawei.com> on 2021/08/16 15:03:56 UTC

【vulnerability confirmation】parquet-format-structures-1.12.0

Hi all,
    To whom it may concerned, when I introduce Parquet-format-structure package in my project, there is a problem I have to deal with.
It was a vulnerability of shaded component libthrift 0.13.0 found in the latest release version 1.12.0, which the CVE No. is CVE-2020-13949. It disturbed me so much that I have no idea how to avoid this vulnerability as there is no bug-fixed version since Mar 25.
Now I am sincerely asking you when the new version will be available or is there a solution to handle the vulnerability.

Re: 【vulnerability confirmation】parquet-format-structures-1.12.0

Posted by Gabor Szadovszky <ga...@apache.org>.

Hi,

It is required to shade the thrift library into paquet-format-structures
because we use thrift to serialize/deserialize the metadata structures in
the parquet files. So, you really don't have any way to change it at
runtime. If it is urgent you may build your parquet-mr on your own with an
upgraded thrift version. (The upgrade to 0.14.1 is already in master. See
PARQUET-2005 for details.)
It is unfortunate that we missed (or was not able) to upgrade the thrift
library for the 1.12.0 release.

I think there are no big risks to do a thrift upgrade in a bugfix release
(1.12.1) but I would like to hear opinions from the community. I cannot say
any ETA for this release but there are other jiras in the queue already.

Cheers,
Gabor

On Mon, Aug 16, 2021 at 7:21 PM huhaiyang (C) <hu...@huawei.com> wrote:

> Hi all,
>     To whom it may concerned, when I introduce Parquet-format-structure
> package in my project, there is a problem I have to deal with.
> It was a vulnerability of shaded component libthrift 0.13.0 found in the
> latest release version 1.12.0, which the CVE No. is CVE-2020-13949. It
> disturbed me so much that I have no idea how to avoid this vulnerability as
> there is no bug-fixed version since Mar 25.
> Now I am sincerely asking you when the new version will be available or is
> there a solution to handle the vulnerability.
>