[
https://issues.apache.org/jira/browse/KAFKA-19951?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18042486#comment-18042486
]
Chia-Ping Tsai commented on KAFKA-19951:
----------------------------------------
{quote}
I think that's largely true, except in some circumstances where users are using
custom class loaders [0]
{quote}
I checked the class LZ4JavaUnsafeSafeDecompressor and found it relies on
numerous unsafe APIs for array access. I believe this could impact a subset of
users who rely on custom classloaders. Since we are preparing the 3.9.2 and
4.2.0 releases, perhaps we should document this limitation to remind users in
these specific cases.
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: KAFKA-19951
> URL: https://issues.apache.org/jira/browse/KAFKA-19951
> Project: Kafka
> Issue Type: Bug
> Components: compression
> Reporter: PJ Fanning
> Priority: Major
> Fix For: 3.9.2, 4.2.0, 4.0.2, 4.1.2
>
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fkafka%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
