Cloudera Runtime Release NotesPDF version

Avro

You can review the list of reported issues and their fixes for Avro in 7.3.1.100.

CDPD-47852: Removed the old CDH versions and parent
Removed old CDH repository reference for artefacts to support build with newer dependency versions.
CDPD-45628: Upgraded Apache Maven to 3.8.6 due to CVE-2021-26291
Removed the Maven prerequisites of version 2.2.1 and upgrade the maven-core to 3.8.6 to fix CVE-2021-26291. Also, upgraded plexus-utils version to 3.5.0 and Apache file-management version to 3.0.0 to support the upgrade.
CDPD-75089: Restrict trusted packages in ReflectData and SpecificData
Schema parsing in Java SDK of Apache Avro had an issue that allowed malicious actors to execute arbitrary code when reading Avro data. This issue is now resolved by restricting trusted packages in ReflectData and SpecificData.

Apache Jira:AVRO-3985