Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
advancedxy commented on PR #2693: URL: https://github.com/apache/uniffle/pull/2693#issuecomment-3625626670 > Maintainer here, it is not necessary to move to safeInstance if you apply the patch. The workaround in the CVE is only necessary if you cannot upgrade for some reason. Thanks for the heads up. The initial modifications are made to make sure that we can still work around the issue if there are other concerns about the lz4 upgrade. Since it's already merged and we are planning to upgrade to the latest version, I think we can revert the change or kept it as it is. > tks @advancedxy merged Thanks. > we will upgrade the latest version in the next week. We may need to release a new version with current lz4 version first? Otherwise, downstream users will have to deal with potential two versions of lz4 in their class path. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
zuston commented on PR #2693: URL: https://github.com/apache/uniffle/pull/2693#issuecomment-3616884880 > @zuston FYI another CVE was discovered and published today, and only 1.10.1 has a patch: [GHSA-cmp6-m4wj-q63q](https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q) > > Though from a quick glance, your code is probably safe. It only passes newly created buffers to decompress, so there should be no risk of leakage. tks. we will upgrade the latest version in the next week. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
yawkat commented on PR #2693: URL: https://github.com/apache/uniffle/pull/2693#issuecomment-3616789169 @zuston FYI another CVE was discovered and published today, and only 1.10.1 has a patch: https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q Though from a quick glance, your code is probably safe. It only passes newly created buffers to decompress, so there should be no risk of leakage. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
zuston commented on PR #2693: URL: https://github.com/apache/uniffle/pull/2693#issuecomment-3616745560 tks @advancedxy merged -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
zuston merged PR #2693: URL: https://github.com/apache/uniffle/pull/2693 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
zuston commented on PR #2693: URL: https://github.com/apache/uniffle/pull/2693#issuecomment-3609695994 > Maintainer here, it is not necessary to move to safeInstance if you apply the patch. The workaround in the CVE is only necessary if you cannot upgrade for some reason. Got it. thanks for your suggestion. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
zuston commented on code in PR #2693: URL: https://github.com/apache/uniffle/pull/2693#discussion_r2587196974 ## pom.xml: ## @@ -703,9 +703,9 @@ -net.jpountz.lz4 -lz4 -1.3.0 +org.lz4 +lz4-java +1.8.1 Review Comment: Maybe this lightweight PR can be merged first. The further improvements can be addressed in a separate PR, since they will require some additional work to accommodate the API changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
zuston commented on code in PR #2693: URL: https://github.com/apache/uniffle/pull/2693#discussion_r2587194734 ## pom.xml: ## @@ -703,9 +703,9 @@ -net.jpountz.lz4 -lz4 -1.3.0 +org.lz4 +lz4-java +1.8.1 Review Comment: > Judging from the release notes, does the latest version mitigate some of the negative performance impacts caused by the fix for CVE‐2025‐12183? > > https://github.com/yawkat/lz4-java/releases cc @yawkat -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
yawkat commented on PR #2693: URL: https://github.com/apache/uniffle/pull/2693#issuecomment-3607025375 Maintainer here, it is not necessary to move to safeInstance if you apply the patch. The workaround in the CVE is only necessary if you cannot upgrade for some reason. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
LuciferYang commented on code in PR #2693: URL: https://github.com/apache/uniffle/pull/2693#discussion_r2584120138 ## pom.xml: ## @@ -703,9 +703,9 @@ -net.jpountz.lz4 -lz4 -1.3.0 +org.lz4 +lz4-java +1.8.1 Review Comment: Judging from the release notes, does the latest version mitigate some of the negative performance impacts caused by the fix for CVE‐2025‐12183? https://github.com/yawkat/lz4-java/releases -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
github-actions[bot] commented on PR #2693: URL: https://github.com/apache/uniffle/pull/2693#issuecomment-3605447346 ## Test Results 3 165 files ±0 3 165 suites ±0 6h 55m 36s ⏱️ + 2m 25s 1 232 tests ±0 1 231 ✅ ±0 1 💤 ±0 0 ❌ ±0 15 619 runs ±0 15 604 ✅ ±0 15 💤 ±0 0 ❌ ±0 Results for commit d3e3666e. ± Comparison against base commit 61e47b30. [test-results]:data:application/gzip;base64,H4sIAL/lL2kC/03MTQ6DIBCG4asY1l0MzjCFXqZBxYTUnwZhZXr3olXq8ntm8q6i94NbxKNCyepWiSX5eN1dCjb6ecpSk0HOlO9x+5A11ud8Lqltfyb/9vLvzQr01g8ZoIALYQ6HhDTtVcXSHLNUFQMVO6rqhEt139doO4+jj3mIDh0yswOyyoBFBNLQM1pyWjM0cJeGdEPi8wWrzIDOFAEAAA== -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
LuciferYang commented on code in PR #2693: URL: https://github.com/apache/uniffle/pull/2693#discussion_r2583915733 ## pom.xml: ## @@ -703,9 +703,9 @@ -net.jpountz.lz4 -lz4 -1.3.0 +org.lz4 +lz4-java +1.8.1 Review Comment: Why not just use 1.10.0? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
Re: [PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
advancedxy commented on PR #2693: URL: https://github.com/apache/uniffle/pull/2693#issuecomment-3605394725 @LuciferYang @jerqi @zuston @kaijchen @leixm would you mind to take a look at this? I think the biggest issue about this change is that it introduces a new lz4 jar in the classpath. Legacy systems such as Spark 2 may still have the original `net.jpountz.lz4` jar, could result a class conflict. But I think we probably should proceed with the new version. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
[PR] chore: Update lz4 to address CVE-2025-12183 [uniffle]
advancedxy opened a new pull request, #2693: URL: https://github.com/apache/uniffle/pull/2693 ### What changes were proposed in this pull request? 1. upgrade lz to the latest version of org.lz4:lz4-java 2. replace `fastestInstance` to `safeInstance` ### Why are the changes needed? To address [CVE-202512183](https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183) ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Existing tests. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] - To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
