I agree with Fokko. It's a good idea to get a release out soon that has a fix for this, but we don't want to make unnecessary releases for things that aren't actual vulnerabilities. That's especially true in older branches, where we have reasonable guidelines for what goes in them already. It's better for people to update to 1.8.x than for us to backport an unnecessary fix to 1.7.x along with a significant version bump that we would not normally allow.
In addition, I think it's relevant that people can override the Parquet dependency in their builds. There should be no urgent need for an Iceberg release just to automatically bump the Parquet version in downstream builds. Ryan On Mon, Apr 14, 2025 at 2:49 AM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi Manu, > > See my comments from few days ago (in the 1.9.x release discussion): > https://lists.apache.org/thread/4c4hg85c8qxq4cznp3drnyro88qp0rjr > > Regards > JB > > On Sat, Apr 12, 2025 at 4:50 PM Manu Zhang <owenzhang1...@gmail.com> > wrote: > > > > Hi all, > > > > https://nvd.nist.gov/vuln/detail/CVE-2025-30065 (10.0 critical) has > been fixed on the main branch for 1.9+ (upgrade parquet to 1.15.1). Shall > we fix on 1.8.x, 1.7.x and 1.6.x? > > > > There's an open issue[1] and PRs for 1.7.x[2] and 1.6.x[3] > > > > 1. https://github.com/apache/iceberg/issues/12749 > > 2. https://github.com/apache/iceberg/pull/12778 > > 3. https://github.com/apache/iceberg/pull/12780 > > > > > > Thanks, > > Manu >
