You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@avro.apache.org by "zcsizmadia (via GitHub)" <gi...@apache.org> on 2023/09/25 19:52:10 UTC

[GitHub] [avro] zcsizmadia opened a new pull request, #2523: Bump minimum Newtonsoft version

zcsizmadia opened a new pull request, #2523:
URL: https://github.com/apache/avro/pull/2523

   ## What is the purpose of the change
   
   * Bump Newtonsoft version to fix vulnerabity issues (AVRO-3874)*
   https://github.com/advisories/GHSA-5crp-9r3c-p9vr
   
   ## Verifying this change
   
   This change is a trivial rework / code cleanup without any test coverage.
   
   ## Documentation
   
   - Does this pull request introduce a new feature? (no)
   - If yes, how is the feature documented? (not applicable)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] zcsizmadia commented on pull request #2523: AVRO-3874: Bump minimum Newtonsoft version

Posted by "zcsizmadia (via GitHub)" <gi...@apache.org>.

zcsizmadia commented on PR #2523:
URL: https://github.com/apache/avro/pull/2523#issuecomment-1736186228

   That pr was rejected IMP before the severe vulnerability was discovered.I think this nump needs to happen because of the high severity of the issue. The new NET 8 compiler will warn about using the vulnerable version.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] KalleOlaviNiemitalo commented on pull request #2523: AVRO-3874: Bump minimum Newtonsoft version

Posted by "KalleOlaviNiemitalo (via GitHub)" <gi...@apache.org>.

KalleOlaviNiemitalo commented on PR #2523:
URL: https://github.com/apache/avro/pull/2523#issuecomment-1736179560

   A similar change was rejected in <https://github.com/apache/avro/pull/1160>.  Even if Apache.Avro depends on a lower version of Newtonsoft.Json, applications that use it can add a direct dependency on the latest version.
   
   Would the stack overflow be exploited via a malicious schema, or via malicious data?  If the latter, then I don't think just upgrading Newtonsoft.Json will suffice, as PreresolvingDatumReader\<T> also works recursively and does not seem to implement any depth limits.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] AVRO-3874: Bump minimum Newtonsoft version [avro]

Posted by "zcsizmadia (via GitHub)" <gi...@apache.org>.

zcsizmadia closed pull request #2523: AVRO-3874: Bump minimum Newtonsoft version
URL: https://github.com/apache/avro/pull/2523


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org