[
https://issues.apache.org/jira/browse/KAFKA-19951?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18042278#comment-18042278
]
Mickael Maison edited comment on KAFKA-19951 at 12/2/25 7:02 PM:
-----------------------------------------------------------------
Yes, now that there is a supported and compatible alternative, we definitively
want to switch to it.
But I still think it's important to confidently determine whether Kafka is
vulnerable or not. If it's vulnerable we need to do emergency releases.
Otherwise we can probably document it and stick to our planned release cycle.
That's not quite the same level of organization/work.
was (Author: mimaison):
Yes now that there is a supported and compatible alternative, we definitively
want to switch to it.
But I still think it's important to confidently determine whether Kafka is
vulnerable or not. If it's vulnerable we need to do emergency releases.
Otherwise we can probably document it and stick to our planned release cycle.
That's not quite the same level of organizations/work.
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: KAFKA-19951
> URL: https://issues.apache.org/jira/browse/KAFKA-19951
> Project: Kafka
> Issue Type: Bug
> Components: compression
> Reporter: PJ Fanning
> Priority: Major
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fkafka%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
