From 8cb02324e906774a53f085a97fe5cb2c68da821d Mon Sep 17 00:00:00 2001 From: Devin Smith Date: Thu, 1 Feb 2024 14:03:47 -0800 Subject: [PATCH] Update avro version (#5104) Fixes CVE-2023-39410, which could cause a out-of-memory when reading untrusted avro data. Unlikely to be relevant in the context of Kafka. --- extensions/kafka/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/kafka/build.gradle b/extensions/kafka/build.gradle index 9a859b61edb..72003d77cf7 100644 --- a/extensions/kafka/build.gradle +++ b/extensions/kafka/build.gradle @@ -10,7 +10,7 @@ dependencies { api project(':engine-processor') - api 'org.apache.avro:avro:1.11.2' + api 'org.apache.avro:avro:1.11.3' // Using io.confluent dependencies requires code in the toplevel build.gradle to add their maven repository. // Note: the -ccs flavor is provided by confluent as their community edition. It is equivalent to the maven central