This is an automated email from the ASF dual-hosted git repository.
stevel pushed a commit to branch branch-3.4
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.4 by this push:
new b8176be80f8 HADOOP-19747. Switch to at.yawk.lz4:lz4-java:1.9.0 due to
CVE-2025-12183 (#8116)
b8176be80f8 is described below
commit b8176be80f8949dab7ea3b2979ebb9e3ba3d1d4b
Author: PJ Fanning <[email protected]>
AuthorDate: Thu Dec 4 15:53:20 2025 +0100
HADOOP-19747. Switch to at.yawk.lz4:lz4-java:1.9.0 due to CVE-2025-12183
(#8116)
The hadoop decompressor org.apache.hadoop.io.compress.lz4.Lz4Compressor
instantiated a compressor via a call to
LZ4Factory.fastestInstance().safeDecompressor()
and so is not directly vulnerable to CVE-2025-12183.
see https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
Contributed by PJ Fanning
---
LICENSE-binary | 2 +-
hadoop-client-modules/hadoop-client-integration-tests/pom.xml | 2 +-
hadoop-common-project/hadoop-common/pom.xml | 2 +-
hadoop-hdfs-project/hadoop-hdfs/pom.xml | 2 +-
.../hadoop-mapreduce-client-nativetask/pom.xml | 2 +-
hadoop-project/pom.xml | 4 ++--
6 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 12842b6961b..252618d3aac 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -213,6 +213,7 @@
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/nvd3-1.8.5.* (css and js
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/checker/AbstractFuture.java
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/checker/TimeoutFuture.java
+at.yawk.lz4:lz4-java:1.9.0
ch.qos.reload4j:reload4j:1.2.22
com.aliyun:aliyun-java-core:0.2.11-beta
com.aliyun:aliyun-java-sdk-core:4.5.10
@@ -367,7 +368,6 @@
org.eclipse.jetty.websocket:javax-websocket-client-impl:9.4.57.v20241219
org.eclipse.jetty.websocket:javax-websocket-server-impl:9.4.57.v20241219
org.ehcache:ehcache:3.8.2
org.ini4j:ini4j:0.5.4
-org.lz4:lz4-java:1.7.1
org.objenesis:objenesis:2.6
org.xerial.snappy:snappy-java:1.1.10.4
org.yaml:snakeyaml:2.0
diff --git a/hadoop-client-modules/hadoop-client-integration-tests/pom.xml
b/hadoop-client-modules/hadoop-client-integration-tests/pom.xml
index c5baffe9314..ae17b283e6f 100644
--- a/hadoop-client-modules/hadoop-client-integration-tests/pom.xml
+++ b/hadoop-client-modules/hadoop-client-integration-tests/pom.xml
@@ -48,7 +48,7 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
diff --git a/hadoop-common-project/hadoop-common/pom.xml
b/hadoop-common-project/hadoop-common/pom.xml
index 28b3c867a35..d2258f83326 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -401,7 +401,7 @@
<scope>compile</scope>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<scope>provided</scope>
</dependency>
diff --git a/hadoop-hdfs-project/hadoop-hdfs/pom.xml
b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
index e9b3df793c7..d507b2bdf0b 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/pom.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/pom.xml
@@ -219,7 +219,7 @@ https://maven.apache.org/xsd/maven-4.0.0.xsd";>
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
diff --git
a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-nativetask/pom.xml
b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-nativetask/pom.xml
index cea971f340e..dffc2590bf9 100644
---
a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-nativetask/pom.xml
+++
b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-nativetask/pom.xml
@@ -56,7 +56,7 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 251d86965e3..c812fbaa3a7 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -146,7 +146,7 @@
<metrics.version>3.2.4</metrics.version>
<netty4.version>4.1.127.Final</netty4.version>
<snappy-java.version>1.1.10.4</snappy-java.version>
- <lz4-java.version>1.7.1</lz4-java.version>
+ <lz4-java.version>1.9.0</lz4-java.version>
<!-- Maven protoc compiler -->
<protobuf-maven-plugin.version>0.5.1</protobuf-maven-plugin.version>
@@ -2133,7 +2133,7 @@
</exclusions>
</dependency>
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<version>${lz4-java.version}</version>
</dependency>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
