You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@arrow.apache.org by "jorisvandenbossche (via GitHub)" <gi...@apache.org> on 2023/06/01 06:51:29 UTC

[GitHub] [arrow] jorisvandenbossche commented on issue #35846: Minimum required numpy version (1.16.6) has security vulnerability

jorisvandenbossche commented on issue #35846:
URL: https://github.com/apache/arrow/issues/35846#issuecomment-1571460465

   Indeed, it is up to applications and end users to ensure they use a newer numpy version in case those security reports are relevant for them (for many users scripting locally, it is not relevant at all), and not for libraries starting to limit allowed versions.
   
   https://github.com/numpy/numpy/issues/19038 is also an interesting read, and essentially disputes the vulnerability, quoting:
   
   > Not a meaningful vulnerability because triggering the issue seems only plausible if the malicious party already has the privilege to run NumPy commands. Thus, while a bug, it does not present an escalation of privilege.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org