(pulsar) 01/03: [fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 (#25198)

Wed, 04 Feb 2026 03:12:34 -0800 

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch branch-4.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git

commit 2ac6d033e1ca2650e73296c9b47620b2ba932ce3
Author: guptas6est <[email protected]>
AuthorDate: Mon Feb 2 21:59:58 2026 +0530

    [fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to 
remediate CVE-2025-12183 and CVE-2025-66566 (#25198)
    
    (cherry picked from commit c07f2adbaccc34c05bfbb895889f464fa9cc495f)
---
 distribution/server/src/assemble/LICENSE.bin.txt | 2 +-
 pom.xml                                          | 7 +++++++
 pulsar-common/pom.xml                            | 1 -
 pulsar-io/debezium/core/pom.xml                  | 4 ++++
 pulsar-io/kafka-connect-adaptor/pom.xml          | 4 ++++
 pulsar-io/kafka/pom.xml                          | 4 ++++
 pulsar-io/kinesis-kpl-shaded/pom.xml             | 6 ++++++
 pulsar-io/kinesis/pom.xml                        | 6 ++++++
 8 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt 
b/distribution/server/src/assemble/LICENSE.bin.txt
index c6e15f67ccf..7b684b6c856 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -385,7 +385,7 @@ The Apache Software License, Version 2.0
     - org.apache.bookkeeper-bookkeeper-slogger-api-4.17.3.jar
     - org.apache.bookkeeper-bookkeeper-slogger-slf4j-4.17.3.jar
     - org.apache.bookkeeper-native-io-4.17.3.jar
-    - at.yawk.lz4-lz4-java-1.10.2.jar
+    - at.yawk.lz4-lz4-java-1.10.3.jar
   * Apache HTTP Client
     - org.apache.httpcomponents-httpclient-4.5.13.jar
     - org.apache.httpcomponents-httpcore-4.4.15.jar
diff --git a/pom.xml b/pom.xml
index 71a9c558995..47a19124cd9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -370,6 +370,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <commons-beanutils.version>1.11.0</commons-beanutils.version>
     <commons-configuration2.version>2.12.0</commons-configuration2.version>
     <mina-core.version>2.1.10</mina-core.version>
+    <lz4java.version>1.10.3</lz4java.version>
   </properties>
 
   <dependencyManagement>
@@ -1762,6 +1763,12 @@ flexible messaging model and an intuitive client 
API.</description>
         <artifactId>commons-configuration2</artifactId>
         <version>${commons-configuration2.version}</version>
       </dependency>
+
+      <dependency>
+        <groupId>at.yawk.lz4</groupId>
+        <artifactId>lz4-java</artifactId>
+        <version>${lz4java.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
diff --git a/pulsar-common/pom.xml b/pulsar-common/pom.xml
index 6df458b626a..c9adad31056 100644
--- a/pulsar-common/pom.xml
+++ b/pulsar-common/pom.xml
@@ -225,7 +225,6 @@
     <dependency>
       <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
-      <version>1.10.1</version>
       <scope>test</scope>
     </dependency>
 
diff --git a/pulsar-io/debezium/core/pom.xml b/pulsar-io/debezium/core/pom.xml
index b6bb681dd0d..57007fc95af 100644
--- a/pulsar-io/debezium/core/pom.xml
+++ b/pulsar-io/debezium/core/pom.xml
@@ -81,6 +81,10 @@
           <artifactId>jose4j</artifactId>
           <groupId>org.bitbucket.b_c</groupId>
         </exclusion>
+        </exclusion>
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
       </exclusions>
     </dependency>
 
diff --git a/pulsar-io/kafka-connect-adaptor/pom.xml 
b/pulsar-io/kafka-connect-adaptor/pom.xml
index e9df346aa8a..e680a68704d 100644
--- a/pulsar-io/kafka-connect-adaptor/pom.xml
+++ b/pulsar-io/kafka-connect-adaptor/pom.xml
@@ -89,6 +89,10 @@
           <artifactId>jose4j</artifactId>
           <groupId>org.bitbucket.b_c</groupId>
         </exclusion>
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pulsar-io/kafka/pom.xml b/pulsar-io/kafka/pom.xml
index 0b5e39e5ff8..2fffd4c298f 100644
--- a/pulsar-io/kafka/pom.xml
+++ b/pulsar-io/kafka/pom.xml
@@ -89,6 +89,10 @@
           <artifactId>jose4j</artifactId>
           <groupId>org.bitbucket.b_c</groupId>
         </exclusion>
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pulsar-io/kinesis-kpl-shaded/pom.xml 
b/pulsar-io/kinesis-kpl-shaded/pom.xml
index 14feb0574d8..1567e1e30d7 100644
--- a/pulsar-io/kinesis-kpl-shaded/pom.xml
+++ b/pulsar-io/kinesis-kpl-shaded/pom.xml
@@ -58,6 +58,12 @@
         <groupId>org.apache.kafka</groupId>
         <artifactId>kafka-clients</artifactId>
         <version>${kafka-client.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
     </dependencies>
   </dependencyManagement>
diff --git a/pulsar-io/kinesis/pom.xml b/pulsar-io/kinesis/pom.xml
index 1dfb9e33479..4a1ce54de1c 100644
--- a/pulsar-io/kinesis/pom.xml
+++ b/pulsar-io/kinesis/pom.xml
@@ -44,6 +44,12 @@
         <groupId>org.apache.kafka</groupId>
         <artifactId>kafka-clients</artifactId>
         <version>${kafka-client.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
     </dependencies>
   </dependencyManagement>

Reply via email to