dongjoon-hyun commented on PR #50647: URL: https://github.com/apache/spark/pull/50647#issuecomment-2833763969
@CarterFendley To be correct here, I get a chance to double-check the Parquet community mailing lists Today again. Here is the update as of now. - 2025-03-21: The Apache Parquet community announced [CVE-2025-30065: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata](https://lists.apache.org/thread/8hhr8ngcysxgnphqp5sb7ynt2x39qj85). - 2025-04-01: [CVE has been publicly announced on April 1st](https://nvd.nist.gov/vuln/detail/CVE-2025-30065). - 2025-04-07: There was another on-going activity in `private@parquet` about the above patch. I cannot expose the title of the discussion threads here. However, IIUC, Apache Parquet community is preparing another release. That's the meaning when I said Parquet 1.15.1 is partial. BTW, this PR looks a little misleading to me because we don't want to re-iterate all library CVEs announcement in Apache Spark documentation. Especially, when it's unable to affect Spark users. So, I can give +1 if you remove the CVE ID from this PR [as I recommended](https://github.com/apache/spark/pull/50647#pullrequestreview-2780977106). I believe that recommending new Parquet would be enough and sufficient in Apache Spark user perspective. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
