⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

[security] Replace net.jpountz.lz4:lz4 with at.yawk.lz4:lz4-java #4696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zymap merged 1 commit into from
Jan 12, 2026
Merged

[security] Replace net.jpountz.lz4:lz4 with at.yawk.lz4:lz4-java #4696

zymap merged 1 commit into from
Jan 12, 2026
+23 −23

Conversation

@massakam
Copy link
Contributor

@massakam massakam commented Jan 8, 2026

Motivation

net.jpountz.lz4:lz4 has been reported to contain multiple vulnerabilities, but it is no longer maintained and users are advised to migrate to the community version, at.yawk.lz4:lz4-java.
https://www.sonatype.com/security-advisories/cve-2025-12183

Changes

Pulsar has already done this replacement, so I made a similar change.
apache/pulsar#25032
Migrating to at.yawk.lz4:lz4-java will fix the vulnerabilities, but the security advisory also recommends replacing .fastDecompressor() with .safeDecompressor() for better performance.

@massakam
Copy link
Contributor Author

massakam commented Jan 8, 2026

OWASP Dependency Check is failing with the following error, which I believe is unrelated to this change and should be fixed in another PR:

Error: netty-transport-4.1.121.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.121:::::::*): CVE-2025-55163(8.2), CVE-2025-58056(2.9), CVE-2025-58057(6.9)

@zymap zymap added this to the 4.18.0 milestone Jan 12, 2026
@zymap zymap merged commit b88fb5f into apache:master Jan 12, 2026
24 of 25 checks passed
zymap pushed a commit that referenced this pull request Jan 12, 2026
@massakam @zymap
Replace net.jpountz.lz4:lz4 with at.yawk.lz4:lz4-java (#4696)
6e6081c 
(cherry picked from commit b88fb5f)
@massakam massakam deleted the replace-lz4 branch January 13, 2026 01:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zymap zymap zymap approved these changes

Assignees

@massakam massakam

Labels

cherry-picked/branch-4.17 release/4.17.3

Projects

None yet

Milestone

4.18.0

Development

Successfully merging this pull request may close these issues.

2 participants

@massakam @zymap