(pulsar) branch master updated: [fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 (#25198)

Mon, 02 Feb 2026 08:30:14 -0800 

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new c07f2adbacc [fix][sec] Exclude org.lz4:lz4-java and standardize on 
at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 (#25198)
c07f2adbacc is described below

commit c07f2adbaccc34c05bfbb895889f464fa9cc495f
Author: guptas6est <[email protected]>
AuthorDate: Mon Feb 2 21:59:58 2026 +0530

    [fix][sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to 
remediate CVE-2025-12183 and CVE-2025-66566 (#25198)
---
 distribution/server/src/assemble/LICENSE.bin.txt | 2 +-
 pom.xml                                          | 7 +++++++
 pulsar-common/pom.xml                            | 1 -
 pulsar-io/debezium/core/pom.xml                  | 4 ++++
 pulsar-io/kafka-connect-adaptor/pom.xml          | 4 ++++
 pulsar-io/kafka/pom.xml                          | 4 ++++
 pulsar-io/kinesis-kpl-shaded/pom.xml             | 6 ++++++
 pulsar-io/kinesis/pom.xml                        | 6 ++++++
 8 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt 
b/distribution/server/src/assemble/LICENSE.bin.txt
index e5451487a60..94117eeec1b 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -382,7 +382,7 @@ The Apache Software License, Version 2.0
     - org.apache.bookkeeper-bookkeeper-slogger-api-4.17.3.jar
     - org.apache.bookkeeper-bookkeeper-slogger-slf4j-4.17.3.jar
     - org.apache.bookkeeper-native-io-4.17.3.jar
-    - at.yawk.lz4-lz4-java-1.10.2.jar
+    - at.yawk.lz4-lz4-java-1.10.3.jar
   * Apache HTTP Client
     - org.apache.httpcomponents-httpclient-4.5.13.jar
     - org.apache.httpcomponents-httpcore-4.4.15.jar
diff --git a/pom.xml b/pom.xml
index bd1941df942..00dec4700c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -377,6 +377,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <commons-beanutils.version>1.11.0</commons-beanutils.version>
     <commons-configuration2.version>2.12.0</commons-configuration2.version>
     <mina-core.version>2.1.10</mina-core.version>
+    <lz4java.version>1.10.3</lz4java.version>
   </properties>
 
   <dependencyManagement>
@@ -1760,6 +1761,12 @@ flexible messaging model and an intuitive client 
API.</description>
           </exclusion>
         </exclusions>
       </dependency>
+
+      <dependency>
+        <groupId>at.yawk.lz4</groupId>
+        <artifactId>lz4-java</artifactId>
+        <version>${lz4java.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
diff --git a/pulsar-common/pom.xml b/pulsar-common/pom.xml
index bce1e4c7b34..09e42ff6188 100644
--- a/pulsar-common/pom.xml
+++ b/pulsar-common/pom.xml
@@ -261,7 +261,6 @@
     <dependency>
       <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
-      <version>1.10.1</version>
       <scope>test</scope>
     </dependency>
 
diff --git a/pulsar-io/debezium/core/pom.xml b/pulsar-io/debezium/core/pom.xml
index 1825346ab46..2470dfc8e85 100644
--- a/pulsar-io/debezium/core/pom.xml
+++ b/pulsar-io/debezium/core/pom.xml
@@ -85,6 +85,10 @@
           <groupId>org.eclipse.jetty</groupId>
           <artifactId>*</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pulsar-io/kafka-connect-adaptor/pom.xml 
b/pulsar-io/kafka-connect-adaptor/pom.xml
index 787f65124fd..3b125330b02 100644
--- a/pulsar-io/kafka-connect-adaptor/pom.xml
+++ b/pulsar-io/kafka-connect-adaptor/pom.xml
@@ -89,6 +89,10 @@
           <artifactId>jose4j</artifactId>
           <groupId>org.bitbucket.b_c</groupId>
         </exclusion>
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pulsar-io/kafka/pom.xml b/pulsar-io/kafka/pom.xml
index e671ca33804..6c70979b5b2 100644
--- a/pulsar-io/kafka/pom.xml
+++ b/pulsar-io/kafka/pom.xml
@@ -84,6 +84,10 @@
           <artifactId>jose4j</artifactId>
           <groupId>org.bitbucket.b_c</groupId>
         </exclusion>
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pulsar-io/kinesis-kpl-shaded/pom.xml 
b/pulsar-io/kinesis-kpl-shaded/pom.xml
index d2fafb13e48..b6b2a969a13 100644
--- a/pulsar-io/kinesis-kpl-shaded/pom.xml
+++ b/pulsar-io/kinesis-kpl-shaded/pom.xml
@@ -58,6 +58,12 @@
         <groupId>org.apache.kafka</groupId>
         <artifactId>kafka-clients</artifactId>
         <version>${kafka-client.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
     </dependencies>
   </dependencyManagement>
diff --git a/pulsar-io/kinesis/pom.xml b/pulsar-io/kinesis/pom.xml
index 942ecc672f9..137a3102906 100644
--- a/pulsar-io/kinesis/pom.xml
+++ b/pulsar-io/kinesis/pom.xml
@@ -44,6 +44,12 @@
         <groupId>org.apache.kafka</groupId>
         <artifactId>kafka-clients</artifactId>
         <version>${kafka-client.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>org.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
     </dependencies>
   </dependencyManagement>

Reply via email to