[jira] [Resolved] (HADOOP-19747) switch lz4-java to at.yawk.lz4 version due to CVE

Steve Loughran (Jira) Thu, 04 Dec 2025 06:59:18 -0800


     [ 
https://issues.apache.org/jira/browse/HADOOP-19747?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Steve Loughran resolved HADOOP-19747.
-------------------------------------
    Fix Version/s: 3.5.0
                   3.4.3
     Release Note: The hadoop Lz4Compressor  instantiates a compressor via a 
call to  LZ4Factory.fastestInstance().safeDecompressor() and so is not directly 
vulnerable to CVE-2025-12183
         Assignee: PJ Fanning
       Resolution: Fixed

> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
>                 Key: HADOOP-19747
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19747
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>            Reporter: PJ Fanning
>            Assignee: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.5.0, 3.4.3
>
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fhadoop%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Resolved] (HADOOP-19747) switch lz4-java to at.yawk.lz4 version due to CVE

Reply via email to