Hi I did the security fix in Avro and I can say that Iceberg is not really impacted and vulnerable. I'm not against a 1.6.2 release, but as we discussed about Iceberg 1.7.0 by the end of October (see Russell's message a few days ago), maybe we can wait 1.7.0 ?
Regards JB On Wed, Oct 9, 2024 at 8:46 PM Ajantha Bhat <ajanthab...@gmail.com> wrote: > > Hi everyone, > Since 1.7.0 is still a few weeks away, > how about releasing version 1.6.2 with just the Avro version update? > The current Avro version in 1.6.1 (1.11.3) has a recently reported CVE: > CVE-2024-47561. [2] > > I'm happy to coordinate and be the release manager for this. > > [1] > https://github.com/apache/iceberg/blob/8e9d59d299be42b0bca9461457cd1e95dbaad086/gradle/libs.versions.toml#L28 > [2] https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x > > - Ajantha
