This is an automated email from the ASF dual-hosted git repository.
stevel pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new 8602fe7ea84 HADOOP-19747. Switch to at.yawk.lz4:lz4-java:1.9.0 due to
CVE-2025-12183 (#8116)
8602fe7ea84 is described below
commit 8602fe7ea84052cf357643813c120691ec07279e
Author: PJ Fanning <[email protected]>
AuthorDate: Thu Dec 4 15:53:20 2025 +0100
HADOOP-19747. Switch to at.yawk.lz4:lz4-java:1.9.0 due to CVE-2025-12183
(#8116)
The hadoop decompressor org.apache.hadoop.io.compress.lz4.Lz4Compressor
instantiated a compressor via a call to
LZ4Factory.fastestInstance().safeDecompressor()
and so is not directly vulnerable to CVE-2025-12183.
see https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
Contributed by PJ Fanning
---
LICENSE-binary | 2 +-
hadoop-client-modules/hadoop-client-integration-tests/pom.xml | 2 +-
hadoop-common-project/hadoop-common/pom.xml | 2 +-
hadoop-hdfs-project/hadoop-hdfs/pom.xml | 2 +-
.../hadoop-mapreduce-client-nativetask/pom.xml | 2 +-
hadoop-project/pom.xml | 4 ++--
6 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 757a1806544..f4640d4fd6b 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -213,6 +213,7 @@
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/nvd3-1.8.5.* (css and js
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/checker/AbstractFuture.java
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/checker/TimeoutFuture.java
+at.yawk.lz4:lz4-java:1.9.0
ch.qos.reload4j:reload4j:1.2.22
com.aliyun:aliyun-java-core:0.2.11-beta
com.aliyun:aliyun-java-sdk-core:4.5.10
@@ -426,7 +427,6 @@
org.eclipse.jetty.websocket:javax-websocket-client-impl:9.4.57.v20241219
org.eclipse.jetty.websocket:javax-websocket-server-impl:9.4.57.v20241219
org.ehcache:ehcache:3.8.2
org.ini4j:ini4j:0.5.4
-org.lz4:lz4-java:1.7.1
org.objenesis:objenesis:2.6
org.xerial.snappy:snappy-java:1.1.10.4
org.yaml:snakeyaml:2.0
diff --git a/hadoop-client-modules/hadoop-client-integration-tests/pom.xml
b/hadoop-client-modules/hadoop-client-integration-tests/pom.xml
index 9f802de367d..62f26984dd1 100644
--- a/hadoop-client-modules/hadoop-client-integration-tests/pom.xml
+++ b/hadoop-client-modules/hadoop-client-integration-tests/pom.xml
@@ -63,7 +63,7 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
diff --git a/hadoop-common-project/hadoop-common/pom.xml
b/hadoop-common-project/hadoop-common/pom.xml
index 9eafcb3db9f..6b42648a7d8 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -366,7 +366,7 @@
<scope>compile</scope>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<scope>provided</scope>
</dependency>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/pom.xml
b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
index 19fd9e8b628..e62e8bfb46d 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/pom.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
@@ -228,7 +228,7 @@ https://maven.apache.org/xsd/maven-4.0.0.xsd";>
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
diff --git
a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-nativetask/pom.xml
b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-nativetask/pom.xml
index 5ffa4f52b30..5228b8dad13 100644
---
a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-nativetask/pom.xml
+++
b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-nativetask/pom.xml
@@ -56,7 +56,7 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 0aa3f1494bc..f913e14d2e2 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -149,7 +149,7 @@
<metrics.version>3.2.4</metrics.version>
<netty4.version>4.1.127.Final</netty4.version>
<snappy-java.version>1.1.10.4</snappy-java.version>
- <lz4-java.version>1.7.1</lz4-java.version>
+ <lz4-java.version>1.9.0</lz4-java.version>
<byte-buddy.version>1.17.6</byte-buddy.version>
<!-- Maven protoc compiler -->
@@ -2090,7 +2090,7 @@
</exclusions>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<version>${lz4-java.version}</version>
</dependency>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
