Hey Manu, Thanks for bringing this up. Sorry for not getting back to you sooner. I saw the ping on GitHub, but I was traveling and at the summit, so I didn't get to it. The main question is, do we know if the vulnerable code path is used by Iceberg? I put in a breakpoint at the checkSecurity <https://github.com/apache/parquet-java/pull/3169/files#diff-843b7d69e1ab11efea5f9cbb3cdef97018962430525040a2a5c3eed0fb5848a3R293> method and ran the test suite of the parquet module, but it didn't trigger on my end.
Kind regards, Fokko Op za 12 apr 2025 om 16:50 schreef Manu Zhang <owenzhang1...@gmail.com>: > Hi all, > > https://nvd.nist.gov/vuln/detail/CVE-2025-30065 (10.0 critical) has been > fixed on the main branch for 1.9+ (upgrade parquet to 1.15.1). Shall we fix > on 1.8.x, 1.7.x and 1.6.x? > > There's an open issue[1] and PRs for 1.7.x[2] and 1.6.x[3] > > 1. https://github.com/apache/iceberg/issues/12749 > 2. https://github.com/apache/iceberg/pull/12778 > 3. https://github.com/apache/iceberg/pull/12780 > > > Thanks, > Manu >
