oss-sec mailing list archives
Apache ORC 1.5.0 and 1.4.4 Released
From: "Owen O'Malley" <owen.omalley () gmail com>
Date: Thu, 17 May 2018 15:10:15 -0700
All, This week we released two releases ORC 1.5.0 and ORC 1.4.4. The 1.5 release adds some great new features: - New C++ Writer - Support for variable length HDFS blocks - CSV to ORC converter - Much faster decimal implementation for precision <= 18 digits - Support for building C++ library on Microsoft Visual C++. - Support for older versions of Hadoop (all of the way back to 2.2.x) For more details, please see https://orc.apache.org/news/2018/05/14/ORC-1.5.0/ . These releases also fix a denial of service vulnerability. Users are encouraged to update. # CVE-2018-8015: Apache ORC denial of service vulnerability ## Severity: Medium ## Vendor: [The Apache Software Foundation](https://apache.org) ## Versions Affected: * ORC 1.0.0 to 1.4.3 ## Description: A malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack. ## Mitigation: * 1.3.x and 1.4.x users should upgrade to 1.4.4. * 1.0.x to 1.2.x users should apply ORC-360 (Java) and ORC-313 (C++). ## Example: An ORC file with a struct, union, array, or map type that includes itself as a child will cause the parser to infinitely recurse until the stack overflows. ## Credit: This issue was discovered by Terry Chia. ## References: [Apache ORC security](https://orc.apache.org/security/)
Current thread:
- Apache ORC 1.5.0 and 1.4.4 Released Owen O'Malley (May 17)