common icon indicating copy to clipboard operation
common copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

Upgrade Avro version to 1.11.0

Open esikgabi opened this issue 3 years ago • 3 comments

The 1.10.2 Avro version has several vulnerabilities AVRO-3227 which are fixed in the 1.11.0 version AVRO-3215.

esikgabi avatar Jan 05 '22 10:01 esikgabi

The dependency version info can be lifted up into this pom.xml, but we already have commons-compress at 1.21 in ksqldb, schema-registry, connect-replicator, control-center, etc. I think that has also been backported to all supported versions.

A version upgrade for Avro needs to be handled carefully as we'd need to check for any incompatibilities, especially in backporting to earlier versions. Given the issue is already addressed by pinning the commons-compress version, I'm not sure we'd want to do more here other than updating master to the new version after evaluating any potential compatibility issues.

ewencp avatar Jan 06 '22 23:01 ewencp

It seems the avro version was upgraded: https://github.com/confluentinc/common/commit/a4eed4387e2d6993646de87243b9942715423cc3 Which release will contain this change? Is there any place where we can check the planned releases? (time and contained features/fixes) Thanks

esikgabi avatar Feb 09 '22 10:02 esikgabi

Avro version 1.11.0 has a transitive dependency with jackson-databind that has the CVE-2020-36518 which has been updated in avro 1.11.1.

junquero avatar Sep 12 '22 07:09 junquero