[Task]: Upgrade Avro to 1.11.4 to fix CVE-2024-47561

[fabriciorby]

What needs to happen?

Hello,

I see there's this CVE-2024-47561 related to the Avro version.

I am creating this issue because the only thing I could find regarding this issue was this draft PR that should fix it, but seems abandoned to me. #32770

Thanks

Issue Priority

Priority: 1 (urgent / mostly reserved for critical bugs)

Issue Components

• Component: Python SDK
• Component: Java SDK
• Component: Go SDK
• Component: Typescript SDK
• Component: IO connector
• Component: Beam YAML
• Component: Beam examples
• Component: Beam playground
• Component: Beam katas
• Component: Website
• Component: Infrastructure
• Component: Spark Runner
• Component: Flink Runner
• Component: Samza Runner
• Component: Twister2 Runner
• Component: Hazelcast Jet Runner
• Component: Google Cloud Dataflow Runner

[liferoad]

cc @damccorm what is the status of #32770

[damccorm]

I haven't had a chance to prioritize it yet. I was hoping the upgrade would be trivial, but it doesn't look like it so far

[damccorm]

I'm planning on coming back to this soon, though (hopefully this week)