This is an automated email from the ASF dual-hosted git repository.
gurwls223 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push:
new 9933e9c2c54 [SPARK-45323][BUILD] Upgrade `snappy` to 1.1.10.4
9933e9c2c54 is described below
commit 9933e9c2c54e7081ef3f23c4b3804d3ecdd175ff
Author: Bjørn Jørgensen <[email protected]>
AuthorDate: Tue Sep 26 19:57:46 2023 +0900
[SPARK-45323][BUILD] Upgrade `snappy` to 1.1.10.4
### What changes were proposed in this pull request?
Upgrade snappy from 1.1.10.3 to 1.1.10.4
### Why are the changes needed?
Security Fix
Fixed SnappyInputStream so as not to allocate too large memory when
decompressing data with an extremely large chunk size by tunnelshade ([code
change](https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5))
This does not affect users only using Snappy.compress/uncompress methods
[Release note](https://github.com/xerial/snappy-java/releases)
Details
While performing mitigation efforts related to
[CVE-2023-34455](https://nvd.nist.gov/vuln/detail/CVE-2023-34455) in Confluent
products, our Application Security team closely analyzed the fix that was
accepted and merged into snappy-java version 1.1.10.1 in
[this](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea)
commit. The check on [line
421](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e536102670929
[...]
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Pass GA
### Was this patch authored or co-authored using generative AI tooling?
No.
Closes #43108
Closes #43109 from bjornjorgensen/snappy_compress.
Authored-by: Bjørn Jørgensen <[email protected]>
Signed-off-by: Hyukjin Kwon <[email protected]>
---
dev/deps/spark-deps-hadoop-3-hive-2.3 | 2 +-
pom.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3
b/dev/deps/spark-deps-hadoop-3-hive-2.3
index f11a7d757f1..206361e1efa 100644
--- a/dev/deps/spark-deps-hadoop-3-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-3-hive-2.3
@@ -240,7 +240,7 @@ shims/0.9.45//shims-0.9.45.jar
slf4j-api/2.0.9//slf4j-api-2.0.9.jar
snakeyaml-engine/2.6//snakeyaml-engine-2.6.jar
snakeyaml/2.0//snakeyaml-2.0.jar
-snappy-java/1.1.10.3//snappy-java-1.1.10.3.jar
+snappy-java/1.1.10.4//snappy-java-1.1.10.4.jar
spire-macros_2.13/0.18.0//spire-macros_2.13-0.18.0.jar
spire-platform_2.13/0.18.0//spire-platform_2.13-0.18.0.jar
spire-util_2.13/0.18.0//spire-util_2.13-0.18.0.jar
diff --git a/pom.xml b/pom.xml
index 33dc854dd26..5fd3e173857 100644
--- a/pom.xml
+++ b/pom.xml
@@ -188,7 +188,7 @@
<fasterxml.jackson.databind.version>2.15.2</fasterxml.jackson.databind.version>
<ws.xmlschema.version>2.3.0</ws.xmlschema.version>
<org.glassfish.jaxb.txw2.version>3.0.2</org.glassfish.jaxb.txw2.version>
- <snappy.version>1.1.10.3</snappy.version>
+ <snappy.version>1.1.10.4</snappy.version>
<netlib.ludovic.dev.version>3.0.3</netlib.ludovic.dev.version>
<commons-codec.version>1.16.0</commons-codec.version>
<commons-compress.version>1.24.0</commons-compress.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
