lhotari opened a new issue, #25139: URL: https://github.com/apache/pulsar/issues/25139
### Discussed in https://github.com/apache/pulsar/discussions/25137 <div type='discussions-op-text'> <sup>Originally posted by **kontotto** January 13, 2026</sup> ## Summary There is a reported security vulnerability in `io.airlift:aircompressor`, which is used as a dependency in Apache Pulsar. - CVE: https://www.cve.org/CVERecord?id=CVE-2025-67721 - Affected dependency version in Pulsar: https://github.com/apache/pulsar/blob/1fcdf8bb9a97fbc4c0db78c4aa8df2b1fae02a65/pom.xml#L263 ## Background This vulnerability appears to be fixed in `io.airlift:aircompressor` version 3.4.x and later. However, the 3.x series requires **Java 22 or later**, which may make a straightforward upgrade challenging given Apache Pulsar’s supported Java versions. On the other hand, the 0.x and 2.x series support **Java 8 and later**, which aligns better with Pulsar’s current Java compatibility policy. In addition, the maintenance activity of `io.airlift:aircompressor` seems relatively low, which raises concerns from a long-term security perspective. ## Possible Approaches From an external user’s point of view, the following options seem possible: - Evaluate upgrading to `aircompressor` 3.x, taking the Java version requirements into account - Consider replacing `aircompressor` with an alternative library, given its maintenance status - **Apply a backport fix to the Java 8–compatible 0.x or 2.x series (the 2.x series appears to have relatively small code differences from 0.x), and then update the dependency** ## Question Could you please share the current or planned approach for handling this vulnerability in Apache Pulsar, including how the Java version requirements are being considered? </div> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
