This is an automated email from the ASF dual-hosted git repository.
bdoyle pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openwhisk.git
The following commit(s) were added to refs/heads/master by this push:
new 3d28212ee lz4-java vuln remediation 1/23/26 (#5567)
3d28212ee is described below
commit 3d28212ee547ca7b0e9b33d64270b8b8bb4040e9
Author: Brendan Doyle <[email protected]>
AuthorDate: Fri Jan 23 13:20:29 2026 -0800
lz4-java vuln remediation 1/23/26 (#5567)
Co-authored-by: Brendan Doyle <[email protected]>
---
common/scala/build.gradle | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/common/scala/build.gradle b/common/scala/build.gradle
index 7e9849b06..2f1099593 100644
--- a/common/scala/build.gradle
+++ b/common/scala/build.gradle
@@ -206,4 +206,10 @@ configurations {
exclude group: 'commons-logging'
exclude group: 'log4j'
}
+ all {
+ resolutionStrategy.dependencySubstitution {
+ // CVE-2025-12183, CVE-2025-66566: org.lz4:lz4-java relocated to
at.yawk.lz4 transitive dependency of kafka-clients
+ substitute module('org.lz4:lz4-java') using
module('at.yawk.lz4:lz4-java:1.10.3')
+ }
+ }
}
