[jira] [Commented] (IMPALA-14579) Bump up paimon version to 1.3.1 for CVE-2025-46762

Wed, 26 Nov 2025 09:48:10 -0800 


    [ 
https://issues.apache.org/jira/browse/IMPALA-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18040884#comment-18040884
 ] 

ASF subversion and git services commented on IMPALA-14579:
----------------------------------------------------------

Commit 685745f785e066771bb55045e3ed47967635edfa in impala's branch 
refs/heads/master from jichen0919
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=685745f78 ]

IMPALA-14579: Bump up paimon version to 1.3.1 for CVE-2025-46762

This patch mainly fix the CVE-2025-46762 by bumping up paimon
version to 1.3.1.

Background:
Following PR: https://github.com/apache/incubator-paimon/pull/6363
has been merged by paimon community since paimon-1.3.0. So in
impala, need to upgrade paimon version to 1.3.0 or later to fix the
CVE as well.

Testing:
- All paimon related tests are passed.

Change-Id: Ie8052f71a5e2a4e39b0ac39b6d349e55f10092bc
Reviewed-on: http://gerrit.cloudera.org:8080/23717
Reviewed-by: Riza Suminto <[email protected]>
Reviewed-by: Csaba Ringhofer <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>


> Bump up paimon version to 1.3.1 for CVE-2025-46762
> --------------------------------------------------
>
>                 Key: IMPALA-14579
>                 URL: https://issues.apache.org/jira/browse/IMPALA-14579
>             Project: IMPALA
>          Issue Type: Sub-task
>            Reporter: jichen
>            Assignee: jichen
>            Priority: Minor
>
> *CVE-2025-46762:*
> Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and 
> previous versions allows bad actors to execute arbitrary code. While 1.15.1 
> introduced a fix to restrict untrusted packages, the default setting of 
> trusted packages still allows malicious classes from these packages to be 
> executed. The exploit is only applicable if the client code of parquet-avro 
> uses the "specific" or the "reflect" models deliberately for reading Parquet 
> files. ("generic" model is not impacted) 
> Following PR [parquet] Bump parquet version to 1.15.2 (#6363)
> has been merged since paimon-1.3.0
> so in impala, need to upgrade paimon version to 1.3.0 or later to fix the CVE 
> as well.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to