[
https://issues.apache.org/jira/browse/CASSANDRA-21052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18042239#comment-18042239
]
Stefan Miklosovic edited comment on CASSANDRA-21052 at 12/2/25 4:11 PM:
------------------------------------------------------------------------
I think that the way to go here is to write to Cassandra DEV mailing list about
this and what you propose. Any library replacement or introduction has to go
over this process where additional concerns, if any, are discussed and
addressed. We will definitely not resolve this in this ticket, that is for
sure.
Talking via security ML is better for obvious reasons.
was (Author: smiklosovic):
I think that the way to go here is to write to Cassandra DEV mailing list about
this and what you propose. Any library replacement or introduction has to go
over this process where additional concerns, if any, are discussed and
addressed. We will definitely not resolve this in this ticket, that is for
sure.
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: CASSANDRA-21052
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21052
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: PJ Fanning
> Priority: Normal
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fcassandra%20lz4-java&type=code
> (but also affects other Cassandra git repos too - eg
> apache/cassandra-java-driver)
> The fork jar is a drop in replacement (same package name as the original jar)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
