If it is already analyzed and not really applicable for Iceberg, we can wait for 1.7.0.
Thanks. - Ajantha On Thu, Oct 10, 2024 at 3:41 PM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi > > I did the security fix in Avro and I can say that Iceberg is not > really impacted and vulnerable. > I'm not against a 1.6.2 release, but as we discussed about Iceberg > 1.7.0 by the end of October (see Russell's message a few days ago), > maybe we can wait 1.7.0 ? > > Regards > JB > > On Wed, Oct 9, 2024 at 8:46 PM Ajantha Bhat <ajanthab...@gmail.com> wrote: > > > > Hi everyone, > > Since 1.7.0 is still a few weeks away, > > how about releasing version 1.6.2 with just the Avro version update? > > The current Avro version in 1.6.1 (1.11.3) has a recently reported CVE: > CVE-2024-47561. [2] > > > > I'm happy to coordinate and be the release manager for this. > > > > [1] > https://github.com/apache/iceberg/blob/8e9d59d299be42b0bca9461457cd1e95dbaad086/gradle/libs.versions.toml#L28 > > [2] https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x > > > > - Ajantha >
