(iceberg) branch main updated: Build: Bump lz4-java to 1.10.3 due to CVE-2025-12183 & CVE-2025-66566 (#14941)

Mon, 16 Feb 2026 22:02:58 -0800 

This is an automated email from the ASF dual-hosted git repository.

etudenhoefner pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg.git


The following commit(s) were added to refs/heads/main by this push:
     new fa7b5c84c4 Build: Bump lz4-java to 1.10.3 due to CVE-2025-12183 & 
CVE-2025-66566 (#14941)
fa7b5c84c4 is described below

commit fa7b5c84c46ca71c8f28d509891585d848d93d6e
Author: slfan1989 <[email protected]>
AuthorDate: Tue Feb 17 14:02:37 2026 +0800

    Build: Bump lz4-java to 1.10.3 due to CVE-2025-12183 & CVE-2025-66566 
(#14941)
---
 build.gradle              | 5 +++++
 gradle/libs.versions.toml | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/build.gradle b/build.gradle
index 5b99621fce..c0c8c537ff 100644
--- a/build.gradle
+++ b/build.gradle
@@ -194,6 +194,11 @@ subprojects {
       exclude group: 'com.sun.jersey.contribs'
       exclude group: 'org.pentaho', module: 'pentaho-aggdesigner-algorithm'
       exclude group: 'org.jetbrains', module: 'annotations'
+      resolutionStrategy {
+        dependencySubstitution {
+          substitute module("org.lz4:lz4-java") using 
module(libs.lz4Java.get().toString()) because("Enforce lz4-java that contains 
CVE-2025-12183 and CVE-2025-66566 fixes")
+        }
+      }
     }
 
     testArtifacts
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 5d79523b6b..e8a1dcb588 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -72,6 +72,7 @@ junit-platform = "1.14.2"
 junit-pioneer = "2.3.0"
 kafka = "3.9.1"
 kryo-shaded = "4.0.3"
+lz4Java = "1.10.3"
 microprofile-openapi-api = "3.1.2"
 mockito = "4.11.0"
 mockserver = "5.15.0"
@@ -161,6 +162,7 @@ kafka-clients = { module = 
"org.apache.kafka:kafka-clients", version.ref = "kafk
 kafka-connect-api = { module = "org.apache.kafka:connect-api", version.ref = 
"kafka" }
 kafka-connect-json = { module = "org.apache.kafka:connect-json", version.ref = 
"kafka" }
 kafka-connect-transforms = { module = "org.apache.kafka:connect-transforms", 
version.ref = "kafka" }
+lz4Java = { module = "at.yawk.lz4:lz4-java", version.ref = "lz4Java" }
 microprofile-openapi-api = { module = 
"org.eclipse.microprofile.openapi:microprofile-openapi-api", version.ref = 
"microprofile-openapi-api" }
 nessie-client = { module = "org.projectnessie.nessie:nessie-client", 
version.ref = "nessie" }
 netty-buffer = { module = "io.netty:netty-buffer", version.ref = 
"netty-buffer" }

Reply via email to