Hi guys Quick update about that: 1. I took a deeper look today about the Avro CVE issue. I don't think we are impacted on Iceberg (the CVE is about deserialization of corrupted data potentially causing out of memory). The fix (https://github.com/apache/avro/commit/a12a7e44d) introduces SystemLimitException that uses system properties to define boundaries and avoid the OOM (even if the deserialization won't still work :)). So, nothing really changes from an Iceberg perspective. 2. As discussed during the community meeting today, as (1) doesn't really have an impact on Iceberg, there's no urgency to release 1.4.3. We agreed to wait new fixes for 1.4.3 release.
I'm still volunteering to cut the 1.4.3 patch release when ready (I did all the build checks on my machine :)), and I'm doing a pass on GH issues. Thanks ! Regards JB On Tue, Nov 21, 2023 at 8:49 PM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > Hi > > We chatted about the 1.4.3 release with Ed. > > We have few PRs we want to include and as it’s Thanksgiving this week, I will > submit the release to vote on Tuesday next week. > > Regards > JB > > Le lun. 20 nov. 2023 à 17:24, Jean-Baptiste Onofré <j...@nanthrax.net> a > écrit : >> >> Thanks Fokko ! >> >> I'm on the local build check and issue pass. I plan to start the >> release tomorrow. >> >> Regards >> JB >> >> On Mon, Nov 20, 2023 at 8:56 AM Driesprong, Fokko <fo...@driesprong.frl> >> wrote: >> > >> > I took the liberty and created a 1.4.3 milestone to track any issues that >> > we want to backport. >> > >> > Kind regards, >> > Fokko Driesprong >> > >> > Op ma 20 nov 2023 om 08:50 schreef Driesprong, Fokko >> > <fo...@driesprong.frl>: >> >> >> >> Hey JB, >> >> >> >> Late to the party here, but 1.4.3 sounds like a great idea. Let me know >> >> if you need any help with any release steps. >> >> >> >> Kind regards, >> >> Fokko Driesprong >> >> >> >> Op ma 20 nov 2023 om 08:16 schreef Jean-Baptiste Onofré >> >> <j...@nanthrax.net>: >> >>> >> >>> Hi >> >>> >> >>> As there's no objection, I will move forward and prepare the release to >> >>> vote. >> >>> >> >>> I will keep you posted asap. >> >>> >> >>> Thanks, >> >>> Regards >> >>> JB >> >>> >> >>> On Wed, Nov 15, 2023 at 6:11 AM Jean-Baptiste Onofré <j...@nanthrax.net> >> >>> wrote: >> >>> > >> >>> > Hi guys, >> >>> > >> >>> > Avro 1.11.3 has been released, fixing CVE-2023-39410. >> >>> > We already updated to Avro 1.11.3 on main. >> >>> > >> >>> > About CVE, we also already use guava 32.1.3, fixing CVE-2023-2976. >> >>> > >> >>> > As the Avro CVE is classified high (see >> >>> > https://nvd.nist.gov/vuln/detail/CVE-2023-39410), I propose to bump to >> >>> > Avro 1.11.3 on our 1.4.x branch and release Iceberg 1.4.3 including >> >>> > this. >> >>> > >> >>> > Thoughts ? >> >>> > >> >>> > If there are no objections, I'm volunteer to drive this release. >> >>> > >> >>> > Thanks, >> >>> > Regards >> >>> > JB
