Hey Manu, I agree, and we often see people filing tickets for unrelated security vulnerabilities that are caught by their CI system. However, doing a new release will also unnecessarily alarm folks about a vulnerability that's not there. As a side effect, upgrading 1.7.x from Parquet 1.13.1 to Parquet 1.15.1 will also introduce new features, which we try to avoid in patch releases (as Peter pointed out on the GitHub issue <https://github.com/apache/iceberg/issues/12749#issuecomment-2799684141>). The 1.8.x branch is already at 1.15.0, so there we won't introduce new functionality, then it would be just a release to silence the vulnerability checkers :)
For those interested, Gábor also suggested deprecating and removing <https://lists.apache.org/thread/c91s61tqkbbrc7xj180xh2rx89yx8pfk> the reflect code in Parquet. Kind regards, Fokko Op ma 14 apr 2025 om 03:47 schreef Manu Zhang <owenzhang1...@gmail.com>: > Hey Fokko, > > I'm not sure that's enough to persuade our security teams not to upgrade. > They usually scan for vulnerable versions and send security tickets > regardless of the attack path. > I think the question is, what's the upgrade path for users having to > upgrade? > > p.s. I missed the PR[1] for 1.8.x, which has already been merged. > > 1. https://github.com/apache/iceberg/pull/12767 > > Thanks, > Manu > > On Sun, Apr 13, 2025 at 4:54 AM Fokko Driesprong <fo...@apache.org> wrote: > >> Hey Manu, >> >> Thanks for bringing this up. Sorry for not getting back to you sooner. I >> saw the ping on GitHub, but I was traveling and at the summit, so I didn't >> get to it. The main question is, do we know if the vulnerable code path is >> used by Iceberg? I put in a breakpoint at the checkSecurity >> <https://github.com/apache/parquet-java/pull/3169/files#diff-843b7d69e1ab11efea5f9cbb3cdef97018962430525040a2a5c3eed0fb5848a3R293> >> method and ran the test suite of the parquet module, but it didn't >> trigger on my end. >> >> Kind regards, >> Fokko >> >> >> Op za 12 apr 2025 om 16:50 schreef Manu Zhang <owenzhang1...@gmail.com>: >> >>> Hi all, >>> >>> https://nvd.nist.gov/vuln/detail/CVE-2025-30065 (10.0 critical) has >>> been fixed on the main branch for 1.9+ (upgrade parquet to 1.15.1). Shall >>> we fix on 1.8.x, 1.7.x and 1.6.x? >>> >>> There's an open issue[1] and PRs for 1.7.x[2] and 1.6.x[3] >>> >>> 1. https://github.com/apache/iceberg/issues/12749 >>> 2. https://github.com/apache/iceberg/pull/12778 >>> 3. https://github.com/apache/iceberg/pull/12780 >>> >>> >>> Thanks, >>> Manu >>> >>
