You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "Ryan Skraba (Jira)" <ji...@apache.org> on 2022/08/25 15:31:00 UTC
[jira] [Commented] (AVRO-3267) The website should have a security/vulnerabilities page
[ https://issues.apache.org/jira/browse/AVRO-3267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17584901#comment-17584901 ]
Ryan Skraba commented on AVRO-3267:
-----------------------------------
We should list our known CVE, but we should also note what is and isn't considered a vulnerability.
For example, when decoding corrupt or untrusted binary, we might come across undeserializable bytes or a potential memory attack. Currently, this returns control to the user code via various RuntimeExceptions without consuming unnecessary resources (huge blocks of memory or CPU). This is probably not a CVE. Forcing an OutOfMemoryError or other non-recoverable error might be a security issue.
> The website should have a security/vulnerabilities page
> -------------------------------------------------------
>
> Key: AVRO-3267
> URL: https://issues.apache.org/jira/browse/AVRO-3267
> Project: Apache Avro
> Issue Type: Improvement
> Reporter: Ryan Skraba
> Priority: Major
>
> Many Apache projects have web pages for reporting vulnerabilities:
> [https://flink.apache.org/security.html]
> [https://logging.apache.org/log4j/2.x/security.html]
> [https://beam.apache.org/security/]
> There should be one for Apache Avro.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)