Avro 1.11.5

  less than a minute  

The Apache Avro community is pleased to announce the release of Avro 1.11.5!

All signed release artifacts, signatures and verification instructions can be found here

Security Fixes

This release addresses 4 security fixes:

  • Prevent class with empty Java package being trusted by SpecificDatumReader (#3311)
  • Remove the default serializable packages and deprecated the property to introduce org.apache.avro.SERIALIZABLE_CLASSES instead (#3376)
  • java-[key-]class allowed packages must be packages (#3453)
  • AVRO-4053: doc consistency in velocity templates (#3150)

These fixes apply only to the Java SDK. All other SDKs have no difference with their 1.11.4 release.

Language SDK / Convenience artifacts

Thanks to everyone for contributing!

Last modified October 27, 2025: Add package-lock.json fpr the docs build (c39d0ac)