search

apache / arrow

Apache Arrow is the universal columnar format and multi-language toolbox for fast data interchange and in-memory analytics
https://arrow.apache.org/
Apache License 2.0
14.63k stars 3.56k forks source link

[Java] Apache Arrow — Stack overflow in Protocol Buffers Java Lite — CVE-2024-7254 #44770

Closed hvub closed 3 days ago

hvub commented 3 days ago

Describe the enhancement requested

Regarding Apache Arrow dependency to com.google.protobuf:protobuf-java-util https://github.com/apache/arrow/blob/main/java/pom.xml#L101

Please consider updating the dependency to 3.25.5 to address CVE-2024-7254

cf. https://www.cve.org/CVERecord?id=CVE-2024-7254 https://vulert.com/vuln-db/CVE-2024-7254 https://ogma.in/understanding-cve-2024-7254-vulnerability-in-protocol-buffers-and-mitigation-strategies

Component(s)

Java

lidavidm commented 3 days ago

Issue resolved by pull request 44775 https://github.com/apache/arrow/pull/44775