[
https://issues.apache.org/jira/browse/CASSANDRA-21052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18042190#comment-18042190
]
PJ Fanning commented on CASSANDRA-21052:
----------------------------------------
Thanks [~smiklosovic] for the quick response. By all means, use caution when
switching but as far as I can see, the changes in the new jar are just to fix
the CVE and some build changes relating to the new groupId.
Using the safe decompressor even with the existing lib should be pretty safe
but I'll leave it to the Cassandra team to research the options.
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: CASSANDRA-21052
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21052
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: PJ Fanning
> Priority: Normal
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fcassandra%20lz4-java&type=code
> (but also affects other Cassandra git repos too - eg
> apache/cassandra-java-driver)
> The fork jar is a drop in replacement (same package name as the original jar)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
