You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@avro.apache.org by "Ryan Skraba (Jira)" <ji...@apache.org> on 2022/08/25 15:31:00 UTC

[jira] [Commented] (AVRO-3267) The website should have a security/vulnerabilities page

    [ https://issues.apache.org/jira/browse/AVRO-3267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17584901#comment-17584901 ] 

Ryan Skraba commented on AVRO-3267:
-----------------------------------

We should list our known CVE, but we should also note what is and isn't considered a vulnerability.

For example, when decoding corrupt or untrusted binary, we might come across undeserializable bytes or a potential memory attack.  Currently, this returns control to the user code via various RuntimeExceptions without consuming unnecessary resources (huge blocks of memory or CPU).   This is probably not a CVE.  Forcing an OutOfMemoryError or other non-recoverable error might be a security issue.

> The website should have a security/vulnerabilities page
> -------------------------------------------------------
>
>                 Key: AVRO-3267
>                 URL: https://issues.apache.org/jira/browse/AVRO-3267
>             Project: Apache Avro
>          Issue Type: Improvement
>            Reporter: Ryan Skraba
>            Priority: Major
>
> Many Apache projects have web pages for reporting vulnerabilities:
> [https://flink.apache.org/security.html]
> [https://logging.apache.org/log4j/2.x/security.html]
> [https://beam.apache.org/security/]
> There should be one for Apache Avro.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)