[
https://issues.apache.org/jira/browse/HADOOP-19747?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-19747:
------------------------------------
Component/s: build
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: HADOOP-19747
> URL: https://issues.apache.org/jira/browse/HADOOP-19747
> Project: Hadoop Common
> Issue Type: Bug
> Components: build, common
> Reporter: PJ Fanning
> Assignee: PJ Fanning
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.5.0, 3.4.3
>
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fhadoop%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)
> h2. CVE notes
> The hadoop decompressor org.apache.hadoop.io.compress.lz4.Lz4Compressor
> instantiated a compressor via a call to
> {code}
> LZ4Factory.fastestInstance().safeDecompressor()
> {code}
> and so is not directly vulnerable to CVE-2025-12183.
> This update is a due diligence/maintenance update, one to keep the CVE
> scanners quiet.
> If you have come here because your CVE scanner detected it: this is not one
> to worry about.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
