You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@orc.apache.org by Owen O'Malley <ow...@gmail.com> on 2018/05/17 22:10:15 UTC
Apache ORC 1.5.0 and 1.4.4 Released
All,
This week we released two releases ORC 1.5.0 and ORC 1.4.4. The 1.5
release adds some great new features:
- New C++ Writer
- Support for variable length HDFS blocks
- CSV to ORC converter
- Much faster decimal implementation for precision <= 18 digits
- Support for building C++ library on Microsoft Visual C++.
- Support for older versions of Hadoop (all of the way back to 2.2.x)
For more details, please see
https://orc.apache.org/news/2018/05/14/ORC-1.5.0/ .
These releases also fix a denial of service vulnerability. Users are
encouraged to update.
# CVE-2018-8015: Apache ORC denial of service vulnerability
## Severity:
Medium
## Vendor:
[The Apache Software Foundation](https://apache.org)
## Versions Affected:
* ORC 1.0.0 to 1.4.3
## Description:
A malformed ORC file can trigger an endlessly recursive function call in the
C++ or Java parser.
The impact of this bug is most likely denial-of-service against software
that
uses the ORC file parser. With the C++ parser, the stack overflow might
possibly corrupt the stack.
## Mitigation:
* 1.3.x and 1.4.x users should upgrade to 1.4.4.
* 1.0.x to 1.2.x users should apply ORC-360 (Java) and ORC-313 (C++).
## Example:
An ORC file with a struct, union, array, or map type that includes itself as
a child will cause the parser to infinitely recurse until the stack
overflows.
## Credit:
This issue was discovered by Terry Chia.
## References:
[Apache ORC security](https://orc.apache.org/security/)