From d6651184d0fb5e197a7cefab9716f55caef4fa8d Mon Sep 17 00:00:00 2001 From: Abhishek Nath Date: Mon, 15 Jun 2026 12:06:39 -0700 Subject: [PATCH 1/3] =?UTF-8?q?Bump=20Avro=20to=201.11.4=20=E2=80=94=20CVE?= =?UTF-8?q?-2024-47561?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- versions.props | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.props b/versions.props index 8c5772987..b0a116a40 100644 --- a/versions.props +++ b/versions.props @@ -1,6 +1,6 @@ org.slf4j:* = 1.7.36 com.palantir.tritium:* = 0.17.0 -org.apache.avro:avro = 1.11.1 +org.apache.avro:avro = 1.11.4 org.apache.calcite:* = 1.10.0 org.apache.hadoop:* = 2.7.3 org.apache.hive:* = 2.3.8 From a49d26edf209835aca5c8098f4ce44bc54dc65fe Mon Sep 17 00:00:00 2001 From: Abhishek Nath Date: Mon, 15 Jun 2026 14:05:09 -0700 Subject: [PATCH 2/3] Accept revapi break: Avro 1.11.4 generic-type-parameter refinement on Conversion.toEnumSymbol --- .palantir/revapi.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.palantir/revapi.yml b/.palantir/revapi.yml index 1a97cee35..6b6bb0adc 100644 --- a/.palantir/revapi.yml +++ b/.palantir/revapi.yml @@ -591,3 +591,12 @@ acceptedBreaks: \ boolean)" justification: "IncrementalScanEvent should only be constructed by Iceberg code.\ \ Hence the change of constructor params shouldn't affect users" + - code: "java.method.returnTypeTypeParametersChanged" + old: "method org.apache.avro.generic.GenericEnumSymbol org.apache.avro.Conversion::toEnumSymbol(T,\ + \ org.apache.avro.Schema, org.apache.avro.LogicalType) @ org.apache.iceberg.avro.UUIDConversion" + new: "method org.apache.avro.generic.GenericEnumSymbol org.apache.avro.Conversion::toEnumSymbol(T,\ + \ org.apache.avro.Schema, org.apache.avro.LogicalType) @ org.apache.iceberg.avro.UUIDConversion" + justification: "Avro 1.11.1 -> 1.11.4 (CVE-2024-47561): generic-type-parameter\ + \ refinement on inherited Avro method (GenericEnumSymbol -> GenericEnumSymbol).\ + \ Binary-compatible via type erasure; only the source-level signature changed.\ + \ Iceberg's UUIDConversion does not override this method." From 1d877e4eef8bbec3268b95cc22ca245e5a0b17be Mon Sep 17 00:00:00 2001 From: Abhishek Nath Date: Mon, 15 Jun 2026 14:21:52 -0700 Subject: [PATCH 3/3] Place revapi break under 1.1.0:iceberg-core, not at end of file --- .palantir/revapi.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.palantir/revapi.yml b/.palantir/revapi.yml index 6b6bb0adc..5d3d475e3 100644 --- a/.palantir/revapi.yml +++ b/.palantir/revapi.yml @@ -399,6 +399,15 @@ acceptedBreaks: \ @ org.apache.iceberg.BaseReplacePartitions" new: "method org.apache.iceberg.BaseReplacePartitions org.apache.iceberg.BaseReplacePartitions::toBranch(java.lang.String)" justification: "Introducing branch snapshot operations for BaseReplacePartitions" + - code: "java.method.returnTypeTypeParametersChanged" + old: "method org.apache.avro.generic.GenericEnumSymbol org.apache.avro.Conversion::toEnumSymbol(T,\ + \ org.apache.avro.Schema, org.apache.avro.LogicalType) @ org.apache.iceberg.avro.UUIDConversion" + new: "method org.apache.avro.generic.GenericEnumSymbol org.apache.avro.Conversion::toEnumSymbol(T,\ + \ org.apache.avro.Schema, org.apache.avro.LogicalType) @ org.apache.iceberg.avro.UUIDConversion" + justification: "Avro 1.11.1 -> 1.11.4 (CVE-2024-47561): generic-type-parameter\ + \ refinement on inherited Avro method (GenericEnumSymbol -> GenericEnumSymbol).\ + \ Binary-compatible via type erasure; only the source-level signature changed.\ + \ Iceberg's UUIDConversion does not override this method." org.apache.iceberg:iceberg-orc: - code: "java.method.removed" old: "method org.apache.iceberg.orc.ORC.WriteBuilder org.apache.iceberg.orc.ORC.WriteBuilder::config(java.lang.String,\ @@ -591,12 +600,3 @@ acceptedBreaks: \ boolean)" justification: "IncrementalScanEvent should only be constructed by Iceberg code.\ \ Hence the change of constructor params shouldn't affect users" - - code: "java.method.returnTypeTypeParametersChanged" - old: "method org.apache.avro.generic.GenericEnumSymbol org.apache.avro.Conversion::toEnumSymbol(T,\ - \ org.apache.avro.Schema, org.apache.avro.LogicalType) @ org.apache.iceberg.avro.UUIDConversion" - new: "method org.apache.avro.generic.GenericEnumSymbol org.apache.avro.Conversion::toEnumSymbol(T,\ - \ org.apache.avro.Schema, org.apache.avro.LogicalType) @ org.apache.iceberg.avro.UUIDConversion" - justification: "Avro 1.11.1 -> 1.11.4 (CVE-2024-47561): generic-type-parameter\ - \ refinement on inherited Avro method (GenericEnumSymbol -> GenericEnumSymbol).\ - \ Binary-compatible via type erasure; only the source-level signature changed.\ - \ Iceberg's UUIDConversion does not override this method."