[
https://issues.apache.org/jira/browse/CASSANDRA-21052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18042188#comment-18042188
]
Stefan Miklosovic commented on CASSANDRA-21052:
-----------------------------------------------
Thank you for letting us know. I am not against the version bump but just
saying that this library is setting pretty much at the core of how we are
de/compressing, LZ4 is I think default compression algorithm so backward
compatibility is everything here, together with performance which should at
least same. Somebody needs to evaluate this library in these regards.
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: CASSANDRA-21052
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21052
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: PJ Fanning
> Priority: Normal
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fcassandra%20lz4-java&type=code
> (but also affects other Cassandra git repos too - eg
> apache/cassandra-java-driver)
> The fork jar is a drop in replacement (same package name as the original jar)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
