python310-pyarrow-14.0.1-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13431 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python310-pyarrow-14.0.1-2.1 on GA media These are all security issues fixed in the python310-pyarrow-14.0.1-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13431 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13431 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-47248/ SUSE CVE CVE-2023-47248 page openSUSE Tumbleweed python310-pyarrow-14.0.1-2.1 python310-pyarrow-devel-14.0.1-2.1 python311-pyarrow-14.0.1-2.1 python311-pyarrow-devel-14.0.1-2.1 python39-pyarrow-14.0.1-2.1 python39-pyarrow-devel-14.0.1-2.1 python310-pyarrow-14.0.1-2.1 as a component of openSUSE Tumbleweed python310-pyarrow-devel-14.0.1-2.1 as a component of openSUSE Tumbleweed python311-pyarrow-14.0.1-2.1 as a component of openSUSE Tumbleweed python311-pyarrow-devel-14.0.1-2.1 as a component of openSUSE Tumbleweed python39-pyarrow-14.0.1-2.1 as a component of openSUSE Tumbleweed python39-pyarrow-devel-14.0.1-2.1 as a component of openSUSE Tumbleweed Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions. CVE-2023-47248 openSUSE Tumbleweed:python310-pyarrow-14.0.1-2.1 openSUSE Tumbleweed:python310-pyarrow-devel-14.0.1-2.1 openSUSE Tumbleweed:python311-pyarrow-14.0.1-2.1 openSUSE Tumbleweed:python311-pyarrow-devel-14.0.1-2.1 openSUSE Tumbleweed:python39-pyarrow-14.0.1-2.1 openSUSE Tumbleweed:python39-pyarrow-devel-14.0.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-47248.html CVE-2023-47248 https://bugzilla.suse.com/1216991 SUSE Bug 1216991