[PR] fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 [avro]

["alwibrm (via GitHub)" <gi...@apache.org>]

alwibrm opened a new pull request, #2560:
URL: https://github.com/apache/avro/pull/2560

   Apache Commons Compress 1.22 is vulnerable to CVE-2023-42503. Fix by using version 1.24.0.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 [avro]

["clesaec (via GitHub)" <gi...@apache.org>]

clesaec commented on PR #2560:
URL: https://github.com/apache/avro/pull/2560#issuecomment-1772271892

   i created [this JIRA](https://issues.apache.org/jira/browse/AVRO-3888) and merge this PR


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 [avro]

["clesaec (via GitHub)" <gi...@apache.org>]

clesaec commented on PR #2560:
URL: https://github.com/apache/avro/pull/2560#issuecomment-1772237576

   @alwibrm : Is there any JIRA associated with this PR ? If not, could you create one ? (or i can do it if you want).
   (_JIRA is usefull to follow change in project_)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 [avro]

["KalleOlaviNiemitalo (via GitHub)" <gi...@apache.org>]

KalleOlaviNiemitalo commented on PR #2560:
URL: https://github.com/apache/avro/pull/2560#issuecomment-1770806824

   The vulnerability reportedly affects only applications that use CompressorStreamFactory, TarArchiveInputStream, or TarFile.  The Avro source code has never referenced any of those classes, so the vulnerability seems impossible to exploit via Avro.
   
   No comment on whether this PR should be merged.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 [avro]

["clesaec (via GitHub)" <gi...@apache.org>]

clesaec merged PR #2560:
URL: https://github.com/apache/avro/pull/2560


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] fix CVE-2023-42503 by using Apache Commons Compress 1.24.0 [avro]

["alwibrm (via GitHub)" <gi...@apache.org>]

alwibrm commented on PR #2560:
URL: https://github.com/apache/avro/pull/2560#issuecomment-1772261251

   @clesaec I have not created a Jira issue for this. Yesterday I intended to do so and realized too late that there was a self service for registration. I would appreciate when you would create one, thank you very much.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org