[ 
https://issues.apache.org/jira/browse/FLINK-40054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martijn Visser resolved FLINK-40054.
------------------------------------
    Fix Version/s: 2.4.0
       Resolution: Fixed

Fixed in apache/flink:master 0ceabd785c4c2db3ed92e06896895b606f6fdcd9

> Update aircompressor to 2.0.3
> -----------------------------
>
>                 Key: FLINK-40054
>                 URL: https://issues.apache.org/jira/browse/FLINK-40054
>             Project: Flink
>          Issue Type: Technical Debt
>          Components: Runtime / Network
>            Reporter: Martijn Visser
>            Assignee: Martijn Visser
>            Priority: Major
>             Fix For: 2.4.0
>
>
> Flink bundles io.airlift:aircompressor 0.27 in flink-runtime (shaded and 
> relocated), where it provides the LZO and ZSTD codecs for network shuffle 
> buffer compression (taskmanager.network.compression.codec). The LZ4 codec 
> uses lz4-java and is unaffected.
> aircompressor 2.0.3 is the latest release of the Java-8-compatible 
> maintenance line (branch release-2.x). It is 0.27 plus backported fixes for 
> CVE-2025-67721, an uninitialized-memory data leak in the Snappy and LZ4 
> decompressors when the match offset is zero. Flink's code path only uses 
> aircompressor's LZO and ZSTD implementations, so the vulnerable decompressors 
> are bundled but not invoked; the upgrade is dependency hygiene and removes 
> security-scanner findings. The packages (io.airlift.compress.*), API and 
> bytecode level (Java 8) are unchanged, making this a drop-in replacement.
> Why not aircompressor-v3: the actively developed line was renamed to the 
> io.airlift:aircompressor-v3 artifact with packages under 
> io.airlift.compress.v3. Its latest release (3.6) is compiled to Java 25 
> bytecode (earlier 3.x releases required Java 22), while Flink still compiles 
> at source level Java 11 and supports Java 11, 17 and 21 at runtime. The 
> package rename would additionally require code changes. v3 is therefore not 
> an option until Flink drops support for pre-22 JVMs.
> Alternatives considered:
> * Replacing the ZSTD codec with com.github.luben:zstd-jni (native libzstd via 
> JNI, as used by Kafka/Spark/Parquet) would likely be faster, but swapping 
> pure Java for native libraries in the shuffle hot path is a 
> performance-motivated change that needs benchmarks and its own ticket.
> * The LZO codec has no alternative: native liblzo2 and hadoop-lzo are 
> GPL-licensed, and aircompressor's LZO is the only Apache-2.0-licensed Java 
> implementation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to