(hbase) branch branch-2 updated: HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)

zhangduo Sat, 06 Dec 2025 06:33:59 -0800

This is an automated email from the ASF dual-hosted git repository.

zhangduo pushed a commit to branch branch-2
in repository https://gitbox.apache.org/repos/asf/hbase.git



The following commit(s) were added to refs/heads/branch-2 by this push:
     new 6bfb797ad74 HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
6bfb797ad74 is described below

commit 6bfb797ad742bace6f6613fcd222c5c69afa38f2
Author: Liu Xiao <[email protected]>
AuthorDate: Sat Dec 6 22:22:58 2025 +0800

    HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
    
    Upgrade to 1.10.1 to address both CVE‐2025‐12183 and CVE-2025-66566.
    
    Signed-off-by: Duo Zhang <[email protected]>
    (cherry picked from commit 688b5745aad777967c71a2990410b5f1b3b28e9c)
---
 hbase-compression/hbase-compression-lz4/pom.xml | 2 +-
 pom.xml                                         | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/hbase-compression/hbase-compression-lz4/pom.xml 
b/hbase-compression/hbase-compression-lz4/pom.xml
index 240b39c28a1..5a1b9b4aff5 100644
--- a/hbase-compression/hbase-compression-lz4/pom.xml
+++ b/hbase-compression/hbase-compression-lz4/pom.xml
@@ -86,7 +86,7 @@
     </dependency>
     <!-- native Java compression codecs -->
     <dependency>
-      <groupId>org.lz4</groupId>
+      <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
     </dependency>
     <!--Test-->
diff --git a/pom.xml b/pom.xml
index a9058aaf64d..7ea8ce4eab0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -665,7 +665,7 @@
     <!-- compression -->
     <aircompressor.version>0.27</aircompressor.version>
     <brotli4j.version>1.11.0</brotli4j.version>
-    <lz4.version>1.8.0</lz4.version>
+    <lz4.version>1.10.1</lz4.version>
     <snappy.version>1.1.10.4</snappy.version>
     <zstd-jni.version>1.5.7-2</zstd-jni.version>
     <!--
@@ -1532,8 +1532,13 @@
         <artifactId>aircompressor</artifactId>
         <version>${aircompressor.version}</version>
       </dependency>
+      <!--
+        The official lz4-java project has been discontinued, we have to move to
+        a community fork for addressing CVE-2025-12183 since 1.8.1+,
+        see: 
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
+      -->
       <dependency>
-        <groupId>org.lz4</groupId>
+        <groupId>at.yawk.lz4</groupId>
         <artifactId>lz4-java</artifactId>
         <version>${lz4.version}</version>
       </dependency>

(hbase) branch branch-2 updated: HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)

Reply via email to