(hbase) branch branch-2.6 updated: HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)

Sat, 06 Dec 2025 06:33:46 -0800 

This is an automated email from the ASF dual-hosted git repository.

zhangduo pushed a commit to branch branch-2.6
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/branch-2.6 by this push:
     new f80e0a7c8fd HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
f80e0a7c8fd is described below

commit f80e0a7c8fd560dd07a82090b892e5554d4457c3
Author: Liu Xiao <[email protected]>
AuthorDate: Sat Dec 6 22:22:58 2025 +0800

    HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
    
    Upgrade to 1.10.1 to address both CVE‐2025‐12183 and CVE-2025-66566.
    
    Signed-off-by: Duo Zhang <[email protected]>
    (cherry picked from commit 688b5745aad777967c71a2990410b5f1b3b28e9c)
---
 hbase-compression/hbase-compression-lz4/pom.xml | 2 +-
 pom.xml                                         | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/hbase-compression/hbase-compression-lz4/pom.xml 
b/hbase-compression/hbase-compression-lz4/pom.xml
index 240b39c28a1..5a1b9b4aff5 100644
--- a/hbase-compression/hbase-compression-lz4/pom.xml
+++ b/hbase-compression/hbase-compression-lz4/pom.xml
@@ -86,7 +86,7 @@
     </dependency>
     <!-- native Java compression codecs -->
     <dependency>
-      <groupId>org.lz4</groupId>
+      <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
     </dependency>
     <!--Test-->
diff --git a/pom.xml b/pom.xml
index 370173515e8..5e8af829c01 100644
--- a/pom.xml
+++ b/pom.xml
@@ -667,7 +667,7 @@
     <!-- compression -->
     <aircompressor.version>0.27</aircompressor.version>
     <brotli4j.version>1.11.0</brotli4j.version>
-    <lz4.version>1.8.0</lz4.version>
+    <lz4.version>1.10.1</lz4.version>
     <snappy.version>1.1.10.4</snappy.version>
     <zstd-jni.version>1.5.7-2</zstd-jni.version>
     <!--
@@ -1539,8 +1539,13 @@
         <artifactId>aircompressor</artifactId>
         <version>${aircompressor.version}</version>
       </dependency>
+      <!--
+        The official lz4-java project has been discontinued, we have to move to
+        a community fork for addressing CVE-2025-12183 since 1.8.1+,
+        see: 
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
+      -->
       <dependency>
-        <groupId>org.lz4</groupId>
+        <groupId>at.yawk.lz4</groupId>
         <artifactId>lz4-java</artifactId>
         <version>${lz4.version}</version>
       </dependency>

Reply via email to