You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@iceberg.apache.org by "mrmadira (via GitHub)" <gi...@apache.org> on 2023/05/04 17:12:19 UTC

[GitHub] [iceberg] mrmadira opened a new issue, #7530: protobuf CVEs reported on iceberg-spark-runtime jar

mrmadira opened a new issue, #7530:
URL: https://github.com/apache/iceberg/issues/7530

   protobuf CVEs reported on iceberg-spark-runtime jar
   
   CVE | Severity | Package | Package Path
   -- | -- | -- | --
   CVE-2022-3171 | high | protobuf-java | iceberg-spark-runtime-3.3_2.12-1.1.0.jar
   CVE-2022-3509 | high | protobuf-java | iceberg-spark-runtime-3.3_2.12-1.1.0.jar
   CVE-2022-3510 | high | protobuf-java | iceberg-spark-runtime-3.3_2.12-1.1.0.jar
   
   These are very old CVEs. Can someone please advise if the CVEs are applicable and is there a plan to bump up the version?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org

[GitHub] [iceberg] mrmadira commented on issue #7530: protobuf CVEs reported on iceberg-spark-runtime jar

Posted by "mrmadira (via GitHub)" <gi...@apache.org>.

mrmadira commented on issue #7530:
URL: https://github.com/apache/iceberg/issues/7530#issuecomment-1535657474

   @Fokko  - This is the fastest PR merge I have seen in opensource :) 
   I see that ORC milestone is September, 2023
   Will there be a new version of iceberg jar that will get released around that timeframe?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org

[GitHub] [iceberg] Fokko commented on issue #7530: protobuf CVEs reported on iceberg-spark-runtime jar

Posted by "Fokko (via GitHub)" <gi...@apache.org>.

Fokko commented on issue #7530:
URL: https://github.com/apache/iceberg/issues/7530#issuecomment-1535801452

   @mrmadira I was also amazed :) Backporting would be more difficult since Protobuf is a core component in ORC. 
   
   In Iceberg we aim to release every three months, so it shouldn't take too long. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org

[GitHub] [iceberg] Fokko commented on issue #7530: protobuf CVEs reported on iceberg-spark-runtime jar

Posted by "Fokko (via GitHub)" <gi...@apache.org>.

Fokko commented on issue #7530:
URL: https://github.com/apache/iceberg/issues/7530#issuecomment-1535159426

   Thanks @mrmadira for raising this. It looks like they are coming from ORC. I've created a PR over there: https://github.com/apache/orc/pull/1485 Idk how severe they are, or if it imposes a security risk at all, but probably a good idea to update to a later version.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org

[GitHub] [iceberg] Fokko commented on issue #7530: protobuf CVEs reported on iceberg-spark-runtime jar

Posted by "Fokko (via GitHub)" <gi...@apache.org>.

Fokko commented on issue #7530:
URL: https://github.com/apache/iceberg/issues/7530#issuecomment-1680318445

   It will be part of the Iceberg 1.4 release: https://github.com/apache/iceberg/pull/8332


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org

[GitHub] [iceberg] mrmadira commented on issue #7530: protobuf CVEs reported on iceberg-spark-runtime jar

Posted by "mrmadira (via GitHub)" <gi...@apache.org>.

mrmadira commented on issue #7530:
URL: https://github.com/apache/iceberg/issues/7530#issuecomment-1655477738

   Hello team - I see a release https://mvnrepository.com/artifact/org.apache.iceberg/iceberg-spark-runtime-3.3 
   However the protobuf is still at 3.17.3 ... how is that?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org

[GitHub] [iceberg] Fokko closed issue #7530: protobuf CVEs reported on iceberg-spark-runtime jar

Posted by "Fokko (via GitHub)" <gi...@apache.org>.

Fokko closed issue #7530: protobuf CVEs reported on iceberg-spark-runtime jar
URL: https://github.com/apache/iceberg/issues/7530


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org