(hbase) branch master updated: HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)

Sat, 06 Dec 2025 06:23:42 -0800 

This is an automated email from the ASF dual-hosted git repository.

zhangduo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/master by this push:
     new 688b5745aad HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
688b5745aad is described below

commit 688b5745aad777967c71a2990410b5f1b3b28e9c
Author: Liu Xiao <[email protected]>
AuthorDate: Sat Dec 6 22:22:58 2025 +0800

    HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
    
    Upgrade to 1.10.1 to address both CVE‐2025‐12183 and CVE-2025-66566.
    
    Signed-off-by: Duo Zhang <[email protected]>
---
 hbase-compression/hbase-compression-lz4/pom.xml | 2 +-
 pom.xml                                         | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/hbase-compression/hbase-compression-lz4/pom.xml 
b/hbase-compression/hbase-compression-lz4/pom.xml
index 1e4ff037492..69bb74a71ec 100644
--- a/hbase-compression/hbase-compression-lz4/pom.xml
+++ b/hbase-compression/hbase-compression-lz4/pom.xml
@@ -70,7 +70,7 @@
     </dependency>
     <!-- native Java compression codecs -->
     <dependency>
-      <groupId>org.lz4</groupId>
+      <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
     </dependency>
     <!--Test-->
diff --git a/pom.xml b/pom.xml
index b62589707d4..0fdbd2145a5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -973,7 +973,7 @@
     <!-- compression -->
     <aircompressor.version>0.27</aircompressor.version>
     <brotli4j.version>1.11.0</brotli4j.version>
-    <lz4.version>1.8.0</lz4.version>
+    <lz4.version>1.10.1</lz4.version>
     <snappy.version>1.1.10.4</snappy.version>
     <zstd-jni.version>1.5.7-2</zstd-jni.version>
     <!--
@@ -1794,8 +1794,13 @@
         <artifactId>aircompressor</artifactId>
         <version>${aircompressor.version}</version>
       </dependency>
+      <!--
+        The official lz4-java project has been discontinued, we have to move to
+        a community fork for addressing CVE-2025-12183 since 1.8.1+,
+        see: 
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
+      -->
       <dependency>
-        <groupId>org.lz4</groupId>
+        <groupId>at.yawk.lz4</groupId>
         <artifactId>lz4-java</artifactId>
         <version>${lz4.version}</version>
       </dependency>

Reply via email to