[
https://issues.apache.org/jira/browse/SPARK-54567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18045979#comment-18045979
]
Yaniv Kunda commented on SPARK-54567:
-------------------------------------
This should also apply to the 3.5.x and 4.1.x branches -
it affects the latest versions in both.
Should be easy to backport as it's a drop-in replacement.
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: SPARK-54567
> URL: https://issues.apache.org/jira/browse/SPARK-54567
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 4.0.1
> Reporter: PJ Fanning
> Priority: Major
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fspark%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)
> Use of the fastDecompressor is probably worrisome. If you use the
> safeDecompressor even with the old jar, this should be safer.
> https://github.com/apache/spark/blob/7251e95e22cc9afd39bcae3ad0ef56b7843ac0fb/core/src/main/scala/org/apache/spark/io/CompressionCodec.scala#L158
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
