This is an automated email from the ASF dual-hosted git repository.
mimaison pushed a commit to branch 3.9
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/3.9 by this push:
new d19a0cc0338 KAFKA-19951: Update lz4 dependency version for
CVE-2025-12183 & CVE-2025-66566 (#21035)
d19a0cc0338 is described below
commit d19a0cc0338db13e4e41012be3e63d2e186f6648
Author: Erik Anderson <[email protected]>
AuthorDate: Tue Dec 9 09:24:21 2025 -0500
KAFKA-19951: Update lz4 dependency version for CVE-2025-12183 &
CVE-2025-66566 (#21035)
Updated lz4 dependency version from 1.8.0 to 1.10.1
https://nvd.nist.gov/vuln/detail/CVE-2025-12183
https://nvd.nist.gov/vuln/detail/CVE-2025-66566
https://github.com/yawkat/lz4-java/releases/tag/v1.8.1
https://github.com/yawkat/lz4-java/releases/tag/v1.10.0
https://github.com/yawkat/lz4-java/releases/tag/v1.10.1
Reviewers: Gaurav Narula <[email protected]>, Lan Ding
<[email protected]>, Chia-Ping Tsai <[email protected]>, Mickael Maison
<[email protected]>, PoAn Yang <[email protected]>
---------
Co-authored-by: Erik Anderson <[email protected]>
Co-authored-by: Chia-Ping Tsai <[email protected]>
Co-authored-by: Mickael Maison <[email protected]>
---
LICENSE-binary | 2 +-
NOTICE-binary | 2 +-
gradle/dependencies.gradle | 6 ++++--
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 9a4f96979a4..b9cf1251f62 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -240,7 +240,7 @@ jetty-servlets-9.4.57.v20241219
jetty-util-9.4.57.v20241219
jetty-util-ajax-9.4.57.v20241219
jose4j-0.9.4
-lz4-java-1.8.0
+lz4-java-1.10.1
maven-artifact-3.9.6
metrics-core-4.1.12.1
metrics-core-2.2.0
diff --git a/NOTICE-binary b/NOTICE-binary
index d3207a131e2..2c62a40abe8 100644
--- a/NOTICE-binary
+++ b/NOTICE-binary
@@ -730,7 +730,7 @@ and decompression library written by Adrien Grand. It can
be obtained at:
* LICENSE:
* license/LICENSE.lz4.txt (Apache License 2.0)
* HOMEPAGE:
- * https://github.com/jpountz/lz4-java
+ * https://github.com/yawkat/lz4-java
This product optionally depends on 'lzma-java', a LZMA Java compression
and decompression library, which can be obtained at:
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 88042a44caa..916092d8188 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -139,7 +139,9 @@ versions += [
kafka_37: "3.7.2",
kafka_38: "3.8.1",
// When updating lz4 make sure the compression levels in
org.apache.kafka.common.record.CompressionType are still valid
- lz4: "1.8.0",
+ //
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L73-L74
+ //
https://github.com/yawkat/lz4-java/blob/main/src/java/net/jpountz/lz4/LZ4Constants.java#L23-L24
+ lz4: "1.10.1",
mavenArtifact: "3.9.6",
metrics: "2.2.0",
netty: "4.1.125.Final",
@@ -238,7 +240,7 @@ libs += [
kafkaStreams_36: "org.apache.kafka:kafka-streams:$versions.kafka_36",
kafkaStreams_37: "org.apache.kafka:kafka-streams:$versions.kafka_37",
kafkaStreams_38: "org.apache.kafka:kafka-streams:$versions.kafka_38",
- lz4: "org.lz4:lz4-java:$versions.lz4",
+ lz4: "at.yawk.lz4:lz4-java:$versions.lz4",
metrics: "com.yammer.metrics:metrics-core:$versions.metrics",
dropwizardMetrics:
"io.dropwizard.metrics:metrics-core:$versions.dropwizardMetrics",
mockitoCore: "org.mockito:$mockitoArtifactName:$mockitoVersion",
