[
https://issues.apache.org/jira/browse/FLINK-39139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18060687#comment-18060687
]
Cameron commented on FLINK-39139:
---------------------------------
The PR for this is already available. It was originally a Hotfix, but I was
told that CVEs need Jira tickets
[https://github.com/apache/flink/pull/27644]
[https://github.com/apache/flink/pull/27645]
[https://github.com/apache/flink/pull/27646]
[https://github.com/apache/flink/pull/27647]
[https://github.com/apache/flink/pull/27648]
These are backports of the merged hotfix
[https://github.com/apache/flink/pull/27535]
> Update lz4-java to 1.10.3
> -------------------------
>
> Key: FLINK-39139
> URL: https://issues.apache.org/jira/browse/FLINK-39139
> Project: Flink
> Issue Type: Improvement
> Reporter: Cameron
> Priority: Major
>
> lz4-java 1.8.0 has the following CVEs:
> * [CVE-2025-66566|https://www.cve.org/CVERecord?id=CVE-2025-66566]
> * [CVE-2025-12183|https://www.cve.org/CVERecord?id=CVE-2025-12183]
> Updating lz4-java to 1.10.3 resolves the CVE
> It has also been relocated to at.yawk.lz4
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
