This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-4.1 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit aff523d2aedeb60550a97b90e0fda7326602f2db Author: guptas6est <[email protected]> AuthorDate: Mon Feb 2 21:59:58 2026 +0530 [fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 (#25198) (cherry picked from commit c07f2adbaccc34c05bfbb895889f464fa9cc495f) --- distribution/server/src/assemble/LICENSE.bin.txt | 2 +- pom.xml | 7 +++++++ pulsar-common/pom.xml | 1 - pulsar-io/debezium/core/pom.xml | 4 ++++ pulsar-io/kafka-connect-adaptor/pom.xml | 4 ++++ pulsar-io/kafka/pom.xml | 4 ++++ pulsar-io/kinesis-kpl-shaded/pom.xml | 6 ++++++ pulsar-io/kinesis/pom.xml | 6 ++++++ 8 files changed, 32 insertions(+), 2 deletions(-) diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index e6a74695650..4f345daf571 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -385,7 +385,7 @@ The Apache Software License, Version 2.0 - org.apache.bookkeeper-bookkeeper-slogger-api-4.17.3.jar - org.apache.bookkeeper-bookkeeper-slogger-slf4j-4.17.3.jar - org.apache.bookkeeper-native-io-4.17.3.jar - - at.yawk.lz4-lz4-java-1.10.2.jar + - at.yawk.lz4-lz4-java-1.10.3.jar * Apache HTTP Client - org.apache.httpcomponents-httpclient-4.5.13.jar - org.apache.httpcomponents-httpcore-4.4.15.jar diff --git a/pom.xml b/pom.xml index b024fdaf0c9..423cfa7ded9 100644 --- a/pom.xml +++ b/pom.xml @@ -373,6 +373,7 @@ flexible messaging model and an intuitive client API.</description> <commons-beanutils.version>1.11.0</commons-beanutils.version> <commons-configuration2.version>2.12.0</commons-configuration2.version> <mina-core.version>2.1.10</mina-core.version> + <lz4java.version>1.10.3</lz4java.version> </properties> <dependencyManagement> @@ -1771,6 +1772,12 @@ flexible messaging model and an intuitive client API.</description> <artifactId>commons-configuration2</artifactId> <version>${commons-configuration2.version}</version> </dependency> + + <dependency> + <groupId>at.yawk.lz4</groupId> + <artifactId>lz4-java</artifactId> + <version>${lz4java.version}</version> + </dependency> </dependencies> </dependencyManagement> diff --git a/pulsar-common/pom.xml b/pulsar-common/pom.xml index af906d2c8b2..f87c254072e 100644 --- a/pulsar-common/pom.xml +++ b/pulsar-common/pom.xml @@ -256,7 +256,6 @@ <dependency> <groupId>at.yawk.lz4</groupId> <artifactId>lz4-java</artifactId> - <version>1.10.1</version> <scope>test</scope> </dependency> diff --git a/pulsar-io/debezium/core/pom.xml b/pulsar-io/debezium/core/pom.xml index a6c4bb8a941..8bde15ca6c4 100644 --- a/pulsar-io/debezium/core/pom.xml +++ b/pulsar-io/debezium/core/pom.xml @@ -81,6 +81,10 @@ <artifactId>jose4j</artifactId> <groupId>org.bitbucket.b_c</groupId> </exclusion> + </exclusion> + <exclusion> + <groupId>org.lz4</groupId> + <artifactId>lz4-java</artifactId> </exclusions> </dependency> diff --git a/pulsar-io/kafka-connect-adaptor/pom.xml b/pulsar-io/kafka-connect-adaptor/pom.xml index 77d24a33a1c..d4a1022fc88 100644 --- a/pulsar-io/kafka-connect-adaptor/pom.xml +++ b/pulsar-io/kafka-connect-adaptor/pom.xml @@ -89,6 +89,10 @@ <artifactId>jose4j</artifactId> <groupId>org.bitbucket.b_c</groupId> </exclusion> + <exclusion> + <groupId>org.lz4</groupId> + <artifactId>lz4-java</artifactId> + </exclusion> </exclusions> </dependency> diff --git a/pulsar-io/kafka/pom.xml b/pulsar-io/kafka/pom.xml index 9821c2d2224..587dd6a5763 100644 --- a/pulsar-io/kafka/pom.xml +++ b/pulsar-io/kafka/pom.xml @@ -89,6 +89,10 @@ <artifactId>jose4j</artifactId> <groupId>org.bitbucket.b_c</groupId> </exclusion> + <exclusion> + <groupId>org.lz4</groupId> + <artifactId>lz4-java</artifactId> + </exclusion> </exclusions> </dependency> diff --git a/pulsar-io/kinesis-kpl-shaded/pom.xml b/pulsar-io/kinesis-kpl-shaded/pom.xml index ea44c4d8129..fa9d49e5812 100644 --- a/pulsar-io/kinesis-kpl-shaded/pom.xml +++ b/pulsar-io/kinesis-kpl-shaded/pom.xml @@ -58,6 +58,12 @@ <groupId>org.apache.kafka</groupId> <artifactId>kafka-clients</artifactId> <version>${kafka-client.version}</version> + <exclusions> + <exclusion> + <groupId>org.lz4</groupId> + <artifactId>lz4-java</artifactId> + </exclusion> + </exclusions> </dependency> </dependencies> </dependencyManagement> diff --git a/pulsar-io/kinesis/pom.xml b/pulsar-io/kinesis/pom.xml index 26eb044c56b..cca055641b1 100644 --- a/pulsar-io/kinesis/pom.xml +++ b/pulsar-io/kinesis/pom.xml @@ -44,6 +44,12 @@ <groupId>org.apache.kafka</groupId> <artifactId>kafka-clients</artifactId> <version>${kafka-client.version}</version> + <exclusions> + <exclusion> + <groupId>org.lz4</groupId> + <artifactId>lz4-java</artifactId> + </exclusion> + </exclusions> </dependency> </dependencies> </dependencyManagement>
