An update for avro is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1918 Final 1.0 1.0 2024-08-02 Initial 2024-08-02 2024-08-02 openEuler SA Tool V1.0 2024-08-02 avro security update An update for avro is now available for openEuler-24.03-LTS. Apache Avro is a data serialization system. Security Fix(es): When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue. (CVE-2023-39410) An update for avro is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High avro https://www.openeuler.org/en/security/security-bulletins/detail?id=openEuler-SA-2024-1918 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-39410 https://nvd.nist.gov/vuln/detail/CVE-2023-39410 openEuler-24.03-LTS avro-1.10.2-5.oe2403.aarch64.rpm avro-1.10.2-5.oe2403.src.rpm avro-1.10.2-5.oe2403.x86_64.rpm When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue. 2024-08-02 CVE-2023-39410 openEuler-24.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H avro security update 2024-08-02 https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1918