Bump lz4-java to 1.10.2 for CVE-2025-12183 & CVE-2025-66566 fixes.

slfan1989 · slfan1989 · commit 04cf84409de8 · 2025-12-28T16:58:56.000+08:00
diff --git a/build.gradle b/build.gradle
@@ -670,6 +670,13 @@ project(':iceberg-delta-lake') {
     }
   }
 
+  configurations.all {
+    resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
+      select("at.yawk.lz4:lz4-java:0")
+      because("Resolve lz4-java capability conflict between Spark 3.5 (org.lz4:lz4-java:1.8.0) and Iceberg (at.yawk.lz4:lz4-java:1.10.2)")
+    }
+  }
+
   // The newest version of delta-core uses Spark 3.5.*. The integration test should only be built
   // if iceberg-spark-3.5 is available
   if (sparkVersions.contains("3.5")) {
diff --git a/kafka-connect/build.gradle b/kafka-connect/build.gradle
@@ -29,13 +29,6 @@ project(':iceberg-kafka-connect:iceberg-kafka-connect-events') {
   test {
     useJUnitPlatform()
   }
-
-  configurations.all {
-    resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
-        select("at.yawk.lz4:lz4-java:0")
-        because("Resolve lz4-java capability conflict caused by relocation and CVEs (CVE-2025-12183 & CVE-2025-66566)")
-    }
-  }
 }
 
 project(':iceberg-kafka-connect:iceberg-kafka-connect') {
@@ -272,3 +265,14 @@ project(':iceberg-kafka-connect:iceberg-kafka-connect-transforms') {
     useJUnitPlatform()
   }
 }
+
+subprojects {
+  if (project.name.contains('kafka-connect')) {
+    configurations.all {
+      resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
+        select("at.yawk.lz4:lz4-java:0")
+        because("Resolve lz4-java capability conflict between deprecated org.lz4:lz4-java:1.8.0 (from Kafka Clients 3.9.1) and secure at.yawk.lz4:lz4-java:1.10.2 (from Iceberg)")
+      }
+    }
+  }
+}
diff --git a/spark/v3.4/build.gradle b/spark/v3.4/build.gradle
@@ -120,6 +120,13 @@ project(":iceberg-spark:iceberg-spark-${sparkMajorVersion}_${scalaVersion}") {
     useJUnitPlatform()
   }
 
+  configurations.all {
+    resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
+      select("at.yawk.lz4:lz4-java:0")
+      because("Resolve lz4-java capability conflict caused by relocation and CVEs (CVE-2025-12183 & CVE-2025-66566)")
+    }
+  }
+
   tasks.withType(Test) {
     // Vectorized reads need more memory
     maxHeapSize '3160m'

Original file line number	Diff line number	Diff line change
`@@ -670,6 +670,13 @@ project(':iceberg-delta-lake') {`
`670`	`670`	`}`
`671`	`671`	`}`
`672`	`672`
	`673`	`+ configurations.all {`
	`674`	`+ resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {`
	`675`	`+ select("at.yawk.lz4:lz4-java:0")`
	`676`	`+ because("Resolve lz4-java capability conflict between Spark 3.5 (org.lz4:lz4-java:1.8.0) and Iceberg (at.yawk.lz4:lz4-java:1.10.2)")`
	`677`	`+ }`
	`678`	`+ }`
	`679`	`+`
`673`	`680`	`// The newest version of delta-core uses Spark 3.5.*. The integration test should only be built`
`674`	`681`	`// if iceberg-spark-3.5 is available`
`675`	`682`	`if (sparkVersions.contains("3.5")) {`