This is an automated email from the ASF dual-hosted git repository.
mimaison pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new f7e23097302 KAFKA-19951: Update lz4 dependency version for
CVE-2025-12183 & CVE-2025-66566 (#21035)
f7e23097302 is described below
commit f7e2309730293be41497861d37df792494626003
Author: Erik Anderson <[email protected]>
AuthorDate: Tue Dec 9 09:24:21 2025 -0500
KAFKA-19951: Update lz4 dependency version for CVE-2025-12183 &
CVE-2025-66566 (#21035)
Updated lz4 dependency version from 1.8.0 to 1.10.1
## CVE-2025-12183
https://nvd.nist.gov/vuln/detail/CVE-2025-12183
## CVE-2025-66566
https://nvd.nist.gov/vuln/detail/CVE-2025-66566
## Releases
https://github.com/yawkat/lz4-java/releases/tag/v1.8.1
https://github.com/yawkat/lz4-java/releases/tag/v1.10.0
https://github.com/yawkat/lz4-java/releases/tag/v1.10.1
Reviewers: Gaurav Narula <[email protected]>, Lan Ding
<[email protected]>, Chia-Ping Tsai <[email protected]>, Mickael Maison
<[email protected]>, PoAn Yang <[email protected]>
---------
Co-authored-by: Erik Anderson <[email protected]>
Co-authored-by: Chia-Ping Tsai <[email protected]>
Co-authored-by: Mickael Maison <[email protected]>
---
LICENSE-binary | 2 +-
NOTICE-binary | 2 +-
gradle/dependencies.gradle | 6 ++++--
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index b1a59cf2f5c..fd1c2dde27a 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -242,7 +242,7 @@ License Version 2.0:
- log4j-core-2.25.1
- log4j-slf4j-impl-2.25.1
- log4j-1.2-api-2.25.1
-- lz4-java-1.8.0
+- lz4-java-1.10.1
- maven-artifact-3.9.6
- metrics-core-2.2.0
- opentelemetry-proto-1.3.2-alpha
diff --git a/NOTICE-binary b/NOTICE-binary
index b625e142293..00b25d5d3f3 100644
--- a/NOTICE-binary
+++ b/NOTICE-binary
@@ -687,7 +687,7 @@ and decompression library written by Adrien Grand. It can
be obtained at:
* LICENSE:
* license/LICENSE.lz4.txt (Apache License 2.0)
* HOMEPAGE:
- * https://github.com/jpountz/lz4-java
+ * https://github.com/yawkat/lz4-java
This product optionally depends on 'lzma-java', a LZMA Java compression
and decompression library, which can be obtained at:
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index e577052862f..7d3eeaec9e3 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -108,7 +108,9 @@ versions += [
kafka_41: "4.1.1",
log4j2: "2.25.1",
// When updating lz4 make sure the compression levels in
org.apache.kafka.common.record.CompressionType are still valid
- lz4: "1.8.0",
+ //
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74
+ //
https://github.com/yawkat/lz4-java/blob/main/src/java/net/jpountz/lz4/LZ4Constants.java#L23-L24
+ lz4: "1.10.1",
mavenArtifact: "3.9.6",
metrics: "2.2.0",
mockito: "5.20.0",
@@ -211,7 +213,7 @@ libs += [
log4j1Bridge2Api: "org.apache.logging.log4j:log4j-1.2-api:$versions.log4j2",
log4j2Api: "org.apache.logging.log4j:log4j-api:$versions.log4j2",
log4j2Core: "org.apache.logging.log4j:log4j-core:$versions.log4j2",
- lz4: "org.lz4:lz4-java:$versions.lz4",
+ lz4: "at.yawk.lz4:lz4-java:$versions.lz4",
metrics: "com.yammer.metrics:metrics-core:$versions.metrics",
mockitoCore: "org.mockito:mockito-core:$versions.mockito",
mockitoJunitJupiter: "org.mockito:mockito-junit-jupiter:$versions.mockito",
