SteNicholas opened a new pull request, #3555: URL: https://github.com/apache/celeborn/pull/3555
### What changes were proposed in this pull request? Bump lz4-java version from 1.8.0 to 1.8.1 to resolve CVE‐2025‐12183. ### Why are the changes needed? [CVE‐2025‐12183](https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183): Various lz4-java compression and decompression implementations do not guard against out-of-bounds memory access. Untrusted input may lead to denial of service and information disclosure. Vulnerable Maven coordinates: org.lz4:lz4-java up to and including 1.8.0. Therefore, lz4-java version should upgrade to 1.8.1 and follow the workaround as follows: > Applications using LZ4Factory.nativeInstance() in conjunction with .fastDecompressor() can switch to .safeInstance() in the short term. In the long term, it is recommended to switch to .safeDecompressor(), which is not vulnerable and provides better performance (despite the name). ### Does this PR resolve a correctness bug? No. ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
