This is an automated email from the ASF dual-hosted git repository.
zuston pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/uniffle.git
The following commit(s) were added to refs/heads/master by this push:
new 4c2fd4e10 chore: Update lz4 to address CVE-2025-12183 (#2693)
4c2fd4e10 is described below
commit 4c2fd4e103b765535a685316e9cc17fcaae942f4
Author: advancedxy <[email protected]>
AuthorDate: Fri Dec 5 20:33:14 2025 +0800
chore: Update lz4 to address CVE-2025-12183 (#2693)
### What changes were proposed in this pull request?
1. upgrade lz to the latest version of org.lz4:lz4-java
2. replace `fastestInstance` to `safeInstance`
### Why are the changes needed?
To address
[CVE-202512183](https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183)
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Existing tests.
---
LICENSE-binary | 2 +-
client-mr/core/pom.xml | 6 +++---
client-spark/common/pom.xml | 4 ++--
client-spark/spark2-shaded/pom.xml | 4 ++--
client-spark/spark3-shaded/pom.xml | 4 ++--
client-tez/pom.xml | 6 +++---
common/pom.xml | 4 ++--
.../main/java/org/apache/uniffle/common/compression/Lz4Codec.java | 2 +-
integration-test/common/pom.xml | 4 ++--
integration-test/mr/pom.xml | 4 ++--
integration-test/spark-common/pom.xml | 4 ++--
integration-test/spark2/pom.xml | 4 ++--
integration-test/spark3/pom.xml | 4 ++--
pom.xml | 6 +++---
14 files changed, 29 insertions(+), 29 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 6a98acd40..5ddfdf2dc 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -272,7 +272,7 @@ io.prometheus:simpleclient_pushgateway
io.prometheus:simpleclient_servlet
jakarta.validation:jakarta.validation-api
javax.inject:javax.inject
-net.jpountz.lz4:lz4
+org.lz4:lz4-java
org.apache.commons:commons-lang3
org.apache.httpcomponents:httpclient
org.apache.httpcomponents:httpcore
diff --git a/client-mr/core/pom.xml b/client-mr/core/pom.xml
index a0ffe6248..2a47ca320 100644
--- a/client-mr/core/pom.xml
+++ b/client-mr/core/pom.xml
@@ -83,8 +83,8 @@
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
</dependency>
<dependency>
@@ -169,7 +169,7 @@
<include>com.fasterxml.jackson.core:jackson-annotations</include>
<include>org.roaringbitmap:RoaringBitmap</include>
<include>org.roaringbitmap:shims</include>
- <include>net.jpountz.lz4:lz4</include>
+ <include>org.lz4:lz4-java</include>
<include>org.apache.commons:commons-collections4</include>
</includes>
</artifactSet>
diff --git a/client-spark/common/pom.xml b/client-spark/common/pom.xml
index 639864b19..b233a86a2 100644
--- a/client-spark/common/pom.xml
+++ b/client-spark/common/pom.xml
@@ -86,8 +86,8 @@
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
</dependency>
</dependencies>
diff --git a/client-spark/spark2-shaded/pom.xml
b/client-spark/spark2-shaded/pom.xml
index 31a307fe9..a9d717537 100644
--- a/client-spark/spark2-shaded/pom.xml
+++ b/client-spark/spark2-shaded/pom.xml
@@ -38,8 +38,8 @@
<!-- use the lz4 from spark env -->
<exclusions>
<exclusion>
- <artifactId>lz4</artifactId>
- <groupId>net.jpountz.lz4</groupId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
</exclusion>
<exclusion>
<artifactId>log4j-slf4j-impl</artifactId>
diff --git a/client-spark/spark3-shaded/pom.xml
b/client-spark/spark3-shaded/pom.xml
index 74831a256..2910c88ea 100644
--- a/client-spark/spark3-shaded/pom.xml
+++ b/client-spark/spark3-shaded/pom.xml
@@ -38,8 +38,8 @@
<!-- use the lz4 from spark env -->
<exclusions>
<exclusion>
- <artifactId>lz4</artifactId>
- <groupId>net.jpountz.lz4</groupId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
</exclusion>
<exclusion>
<artifactId>log4j-slf4j-impl</artifactId>
diff --git a/client-tez/pom.xml b/client-tez/pom.xml
index ec6b1813e..119e8aef2 100644
--- a/client-tez/pom.xml
+++ b/client-tez/pom.xml
@@ -82,8 +82,8 @@
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
@@ -185,7 +185,7 @@
<include>com.fasterxml.jackson.core:jackson-annotations</include>
<include>org.roaringbitmap:RoaringBitmap</include>
<include>org.roaringbitmap:shims</include>
- <include>net.jpountz.lz4:lz4</include>
+ <include>org.lz4:lz4-java</include>
<include>org.apache.commons:commons-collections4</include>
</includes>
</artifactSet>
diff --git a/common/pom.xml b/common/pom.xml
index 7330b3fc6..86f48b676 100644
--- a/common/pom.xml
+++ b/common/pom.xml
@@ -83,8 +83,8 @@
<artifactId>RoaringBitmap</artifactId>
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
diff --git
a/common/src/main/java/org/apache/uniffle/common/compression/Lz4Codec.java
b/common/src/main/java/org/apache/uniffle/common/compression/Lz4Codec.java
index 1e30dfc56..f39434e20 100644
--- a/common/src/main/java/org/apache/uniffle/common/compression/Lz4Codec.java
+++ b/common/src/main/java/org/apache/uniffle/common/compression/Lz4Codec.java
@@ -36,7 +36,7 @@ public class Lz4Codec extends Codec {
}
public Lz4Codec() {
- this.lz4Factory = LZ4Factory.fastestInstance();
+ this.lz4Factory = LZ4Factory.safeInstance();
}
@Override
diff --git a/integration-test/common/pom.xml b/integration-test/common/pom.xml
index 1210a064d..eef340e48 100644
--- a/integration-test/common/pom.xml
+++ b/integration-test/common/pom.xml
@@ -103,8 +103,8 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
<dependency>
diff --git a/integration-test/mr/pom.xml b/integration-test/mr/pom.xml
index 55150d79e..eff3040a9 100644
--- a/integration-test/mr/pom.xml
+++ b/integration-test/mr/pom.xml
@@ -139,8 +139,8 @@
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
diff --git a/integration-test/spark-common/pom.xml
b/integration-test/spark-common/pom.xml
index f034c10b2..e5a81a8ad 100644
--- a/integration-test/spark-common/pom.xml
+++ b/integration-test/spark-common/pom.xml
@@ -172,8 +172,8 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
diff --git a/integration-test/spark2/pom.xml b/integration-test/spark2/pom.xml
index 57bd2361a..0306af729 100644
--- a/integration-test/spark2/pom.xml
+++ b/integration-test/spark2/pom.xml
@@ -167,8 +167,8 @@
</exclusions>
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
diff --git a/integration-test/spark3/pom.xml b/integration-test/spark3/pom.xml
index 0ee8031e4..d76dc0786 100644
--- a/integration-test/spark3/pom.xml
+++ b/integration-test/spark3/pom.xml
@@ -131,8 +131,8 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
<scope>test</scope>
</dependency>
<dependency>
diff --git a/pom.xml b/pom.xml
index c6a4a4511..fdc0dc20c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -703,9 +703,9 @@
</dependency>
<dependency>
- <groupId>net.jpountz.lz4</groupId>
- <artifactId>lz4</artifactId>
- <version>1.3.0</version>
+ <groupId>org.lz4</groupId>
+ <artifactId>lz4-java</artifactId>
+ <version>1.8.1</version>
</dependency>
<dependency>
