[jira] [Commented] (HADOOP-19747) switch lz4-java to at.yawk.lz4 version due to CVE

Tue, 09 Dec 2025 04:28:57 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-19747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18043845#comment-18043845
 ] 

ASF GitHub Bot commented on HADOOP-19747:
-----------------------------------------

pjfanning opened a new pull request, #8122:
URL: https://github.com/apache/hadoop/pull/8122

   <!--
     Thanks for sending a pull request!
       1. If this is your first time, please read our contributor guidelines: 
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
       2. Make sure your PR title starts with JIRA issue id, e.g., 
'HADOOP-17799. Your PR title ...'.
   -->
   
   ### Description of PR
   
   Another CVE - CVE-2025-66566.
   2nd PR for HADOOP-19747
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [x] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [x] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   




> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
>                 Key: HADOOP-19747
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19747
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: build, common
>            Reporter: PJ Fanning
>            Assignee: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.5.0, 3.4.3
>
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fhadoop%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)
> h2. CVE notes
> The hadoop decompressor org.apache.hadoop.io.compress.lz4.Lz4Compressor
>     instantiated a compressor via a call to
> {code}
>         LZ4Factory.fastestInstance().safeDecompressor()
> {code}
>     and so is not directly vulnerable to CVE-2025-12183.
> This update is a due diligence/maintenance update, one to keep the CVE 
> scanners quiet.
> If you have come here because your CVE scanner detected it: this is not one 
> to worry about.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to