Upgrade Avro version to 1.11.0

[esikgabi]

The 1.10.2 Avro version has several vulnerabilities AVRO-3227 which are fixed in the 1.11.0 version AVRO-3215.

[ewencp]

The dependency version info can be lifted up into this pom.xml, but we already have commons-compress at 1.21 in ksqldb, schema-registry, connect-replicator, control-center, etc. I think that has also been backported to all supported versions.

A version upgrade for Avro needs to be handled carefully as we'd need to check for any incompatibilities, especially in backporting to earlier versions. Given the issue is already addressed by pinning the commons-compress version, I'm not sure we'd want to do more here other than updating master to the new version after evaluating any potential compatibility issues.

[esikgabi]

It seems the avro version was upgraded: a4eed43
Which release will contain this change?
Is there any place where we can check the planned releases? (time and contained features/fixes)
Thanks

[junquero]

Avro version 1.11.0 has a transitive dependency with jackson-databind that has the CVE-2020-36518 which has been updated in avro 1.11.1.