Hey Fokko, I'm not sure that's enough to persuade our security teams not to upgrade. They usually scan for vulnerable versions and send security tickets regardless of the attack path. I think the question is, what's the upgrade path for users having to upgrade?
p.s. I missed the PR[1] for 1.8.x, which has already been merged. 1. https://github.com/apache/iceberg/pull/12767 Thanks, Manu On Sun, Apr 13, 2025 at 4:54 AM Fokko Driesprong <fo...@apache.org> wrote: > Hey Manu, > > Thanks for bringing this up. Sorry for not getting back to you sooner. I > saw the ping on GitHub, but I was traveling and at the summit, so I didn't > get to it. The main question is, do we know if the vulnerable code path is > used by Iceberg? I put in a breakpoint at the checkSecurity > <https://github.com/apache/parquet-java/pull/3169/files#diff-843b7d69e1ab11efea5f9cbb3cdef97018962430525040a2a5c3eed0fb5848a3R293> > method and ran the test suite of the parquet module, but it didn't > trigger on my end. > > Kind regards, > Fokko > > > Op za 12 apr 2025 om 16:50 schreef Manu Zhang <owenzhang1...@gmail.com>: > >> Hi all, >> >> https://nvd.nist.gov/vuln/detail/CVE-2025-30065 (10.0 critical) has been >> fixed on the main branch for 1.9+ (upgrade parquet to 1.15.1). Shall we fix >> on 1.8.x, 1.7.x and 1.6.x? >> >> There's an open issue[1] and PRs for 1.7.x[2] and 1.6.x[3] >> >> 1. https://github.com/apache/iceberg/issues/12749 >> 2. https://github.com/apache/iceberg/pull/12778 >> 3. https://github.com/apache/iceberg/pull/12780 >> >> >> Thanks, >> Manu >> >
