Skip to content

[fix][sec] Upgrade avro to 1.12.1 #24992

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
lhotari wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[fix][sec] Upgrade avro to 1.12.1 #24992

lhotari wants to merge 1 commit into from

Conversation

@lhotari
Copy link
Member

@lhotari lhotari commented Nov 17, 2025
edited
Loading

Motivation

avro 1.12.1 contains 4 security fixes:
https://avro.apache.org/blog/2025/10/16/avro-1.12.1/

Modifications

Upgrade avro from 1.12.0 to 1.12.1

Blocked by Avro bug causing StackOverflowError with recursive data structures

reported as https://issues.apache.org/jira/browse/AVRO-4209

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari added this to the 4.2.0 milestone Nov 17, 2025
@lhotari lhotari self-assigned this Nov 17, 2025
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Nov 17, 2025
@lhotari
Copy link
Member Author

lhotari commented Nov 20, 2025

The change apache/avro#3304 causes the StackOverflowError issue.

  Caused by: java.lang.StackOverflowError
  	at org.apache.avro.specific.SpecificData.createSchema(SpecificData.java:492)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:673)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:548)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:649)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)
  	at org.apache.avro.reflect.ReflectData.createNonStringMapSchema(ReflectData.java:549)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:642)
  	at org.apache.avro.reflect.ReflectData.createFieldSchema(ReflectData.java:894)
  	at org.apache.avro.reflect.ReflectData$AllowNull.createFieldSchema(ReflectData.java:98)
  	at org.apache.avro.reflect.ReflectData.createSchema(ReflectData.java:744)

@lhotari lhotari mentioned this pull request Nov 20, 2025
Closed
2 tasks
@lhotari
Copy link
Member Author

lhotari commented Nov 20, 2025

Issue reported to Avro project: https://issues.apache.org/jira/browse/AVRO-4209

@codecov-commenter
Copy link

codecov-commenter commented Nov 21, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.63%. Comparing base (212ee6a) to head (e1ac129).
⚠️ Report is 6 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (212ee6a) and HEAD (e1ac129). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (212ee6a) HEAD (e1ac129)
unittests 2 1
Additional details and impacted files

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #24992       +/-   ##
=============================================
- Coverage     74.28%   38.63%   -35.66%     
+ Complexity    34065    13325    -20740     
=============================================
  Files          1920     1863       -57     
  Lines        150302   146139     -4163     
  Branches      17450    16964      -486     
=============================================
- Hits         111656    56458    -55198     
- Misses        29740    82057    +52317     
+ Partials       8906     7624     -1282
Flag Coverage Δ
inttests 26.41% <ø> (-0.05%) ⬇️
systests 22.95% <ø> (+0.04%) ⬆️
unittests 34.79% <ø> (-39.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1417 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@lhotari lhotari marked this pull request as draft November 21, 2025 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Technoboy- Technoboy- Technoboy- approved these changes

@crossoverJie crossoverJie crossoverJie approved these changes

@nodece nodece nodece approved these changes

@dao-jun dao-jun dao-jun approved these changes

Assignees

@lhotari lhotari

Labels

area/security doc-not-needed Your PR changes do not impact docs ready-to-test release/4.0.9 release/4.1.3

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

6 participants

@lhotari @codecov-commenter @Technoboy- @crossoverJie @nodece @dao-jun