So it sounds like we may want to do 1.8.2 with the updated Parquet version as that should be very low risk. Does anyone want to volunteer and be the release manager for 1.8.2?
On Mon, Apr 14, 2025 at 5:29 PM Ryan Blue <rdb...@gmail.com> wrote: > I agree with Fokko. It's a good idea to get a release out soon that has a > fix for this, but we don't want to make unnecessary releases for things > that aren't actual vulnerabilities. That's especially true in older > branches, where we have reasonable guidelines for what goes in them > already. It's better for people to update to 1.8.x than for us to backport > an unnecessary fix to 1.7.x along with a significant version bump that we > would not normally allow. > > In addition, I think it's relevant that people can override the Parquet > dependency in their builds. There should be no urgent need for an Iceberg > release just to automatically bump the Parquet version in downstream builds. > > Ryan > > On Mon, Apr 14, 2025 at 2:49 AM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > >> Hi Manu, >> >> See my comments from few days ago (in the 1.9.x release discussion): >> https://lists.apache.org/thread/4c4hg85c8qxq4cznp3drnyro88qp0rjr >> >> Regards >> JB >> >> On Sat, Apr 12, 2025 at 4:50 PM Manu Zhang <owenzhang1...@gmail.com> >> wrote: >> > >> > Hi all, >> > >> > https://nvd.nist.gov/vuln/detail/CVE-2025-30065 (10.0 critical) has >> been fixed on the main branch for 1.9+ (upgrade parquet to 1.15.1). Shall >> we fix on 1.8.x, 1.7.x and 1.6.x? >> > >> > There's an open issue[1] and PRs for 1.7.x[2] and 1.6.x[3] >> > >> > 1. https://github.com/apache/iceberg/issues/12749 >> > 2. https://github.com/apache/iceberg/pull/12778 >> > 3. https://github.com/apache/iceberg/pull/12780 >> > >> > >> > Thanks, >> > Manu >> >
