Skip to content

Commit 3906ecc

Browse files
slfan1989slfan1989
committed
Bump lz4-java to 1.10.2 for CVE-2025-12183 & CVE-2025-66566 fixes.
1 parent 0651b89 commit 3906ecc

File tree

2 files changed

+27
-1
lines changed

2 files changed

+27
-1
lines changed

build.gradle

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -370,7 +370,10 @@ project(':iceberg-core') {
370370
exclude group: 'org.tukaani' // xz compression is not supported
371371
}
372372

373-
implementation libs.aircompressor
373+
implementation(libs.aircompressor) {
374+
exclude group: 'org.lz4'
375+
}
376+
implementation libs.lz4Java
374377
implementation libs.httpcomponents.httpclient5
375378
implementation platform(libs.jackson.bom)
376379
implementation libs.jackson.core
@@ -667,6 +670,13 @@ project(':iceberg-delta-lake') {
667670
}
668671
}
669672

673+
configurations.all {
674+
resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
675+
select("at.yawk.lz4:lz4-java:0")
676+
because("Resolve lz4-java capability conflict between Spark 3.5 (org.lz4:lz4-java:1.8.0) and Iceberg (at.yawk.lz4:lz4-java:1.10.2)")
677+
}
678+
}
679+
670680
// The newest version of delta-core uses Spark 3.5.*. The integration test should only be built
671681
// if iceberg-spark-3.5 is available
672682
if (sparkVersions.contains("3.5")) {
@@ -1230,3 +1240,17 @@ project(':iceberg-bom') {
12301240
// Needed to get the "faked" Scala artifacts into the bom
12311241
javaPlatform { allowDependencies() }
12321242
}
1243+
1244+
subprojects {
1245+
if (project.name.startsWith('iceberg-spark') ||
1246+
project.name.startsWith('iceberg-flink') ||
1247+
project.name.startsWith('iceberg-kafka-connect')) {
1248+
1249+
configurations.all {
1250+
resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
1251+
select("at.yawk.lz4:lz4-java:0")
1252+
because("Fix lz4-java capability conflict from relocation and CVE fixes")
1253+
}
1254+
}
1255+
}
1256+
}

gradle/libs.versions.toml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,7 @@ junit = "5.14.1"
7272
junit-platform = "1.14.1"
7373
kafka = "3.9.1"
7474
kryo-shaded = "4.0.3"
75+
lz4Java = "1.10.2"
7576
microprofile-openapi-api = "3.1.2"
7677
mockito = "4.11.0"
7778
mockserver = "5.15.0"
@@ -162,6 +163,7 @@ kafka-clients = { module = "org.apache.kafka:kafka-clients", version.ref = "kafk
162163
kafka-connect-api = { module = "org.apache.kafka:connect-api", version.ref = "kafka" }
163164
kafka-connect-json = { module = "org.apache.kafka:connect-json", version.ref = "kafka" }
164165
kafka-connect-transforms = { module = "org.apache.kafka:connect-transforms", version.ref = "kafka" }
166+
lz4Java = { module = "at.yawk.lz4:lz4-java", version.ref = "lz4Java" }
165167
microprofile-openapi-api = { module = "org.eclipse.microprofile.openapi:microprofile-openapi-api", version.ref = "microprofile-openapi-api" }
166168
nessie-client = { module = "org.projectnessie.nessie:nessie-client", version.ref = "nessie" }
167169
netty-buffer = { module = "io.netty:netty-buffer", version.ref = "netty-buffer" }

0 commit comments

Comments
 (0)