From 805cd563bf01c6ac0d22c1fab377ce042b334e75 Mon Sep 17 00:00:00 2001
From: slfan1989 <slfan1989@apache.org>
Date: Sun, 28 Dec 2025 15:54:32 +0800
Subject: [PATCH 1/4] Bump lz4-java to 1.10.2 for CVE-2025-12183 &
 CVE-2025-66566 fixes.

---
 build.gradle              | 19 ++++++++++++++++++-
 gradle/libs.versions.toml |  2 ++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index bd8062193421..7422586c1c93 100644
--- a/build.gradle
+++ b/build.gradle
@@ -370,7 +370,10 @@ project(':iceberg-core') {
       exclude group: 'org.tukaani' // xz compression is not supported
     }
 
-    implementation libs.aircompressor
+    implementation(libs.aircompressor) {
+      exclude group: 'org.lz4'
+    }
+    implementation libs.lz4Java
     implementation libs.httpcomponents.httpclient5
     implementation platform(libs.jackson.bom)
     implementation libs.jackson.core
@@ -1230,3 +1233,17 @@ project(':iceberg-bom') {
   // Needed to get the "faked" Scala artifacts into the bom
   javaPlatform { allowDependencies() }
 }
+
+subprojects {
+  if (project.name.startsWith('iceberg-spark') ||
+      project.name.startsWith('iceberg-flink') ||
+      project.name.startsWith('iceberg-kafka-connect')) {
+
+    configurations.all {
+      resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
+        select("at.yawk.lz4:lz4-java:0")
+        because("Fix lz4-java capability conflict from relocation and CVE fixes")
+      }
+    }
+  }
+}
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 4fbba96317ce..d170e505f011 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -72,6 +72,7 @@ junit = "5.14.1"
 junit-platform = "1.14.1"
 kafka = "3.9.1"
 kryo-shaded = "4.0.3"
+lz4Java = "1.10.2"
 microprofile-openapi-api = "3.1.2"
 mockito = "4.11.0"
 mockserver = "5.15.0"
@@ -162,6 +163,7 @@ kafka-clients = { module = "org.apache.kafka:kafka-clients", version.ref = "kafk
 kafka-connect-api = { module = "org.apache.kafka:connect-api", version.ref = "kafka" }
 kafka-connect-json = { module = "org.apache.kafka:connect-json", version.ref = "kafka" }
 kafka-connect-transforms = { module = "org.apache.kafka:connect-transforms", version.ref = "kafka" }
+lz4Java = { module = "at.yawk.lz4:lz4-java", version.ref = "lz4Java" }
 microprofile-openapi-api = { module = "org.eclipse.microprofile.openapi:microprofile-openapi-api", version.ref = "microprofile-openapi-api" }
 nessie-client = { module = "org.projectnessie.nessie:nessie-client", version.ref = "nessie" }
 netty-buffer = { module = "io.netty:netty-buffer", version.ref = "netty-buffer" }

From a0d9fbda28e7c2d21bb35ffc0048845e4c309bb8 Mon Sep 17 00:00:00 2001
From: slfan1989 <slfan1989@apache.org>
Date: Sun, 28 Dec 2025 21:34:28 +0800
Subject: [PATCH 2/4] Bump lz4-java to 1.10.2 for CVE-2025-12183 &
 CVE-2025-66566 fixes.

---
 build.gradle | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/build.gradle b/build.gradle
index 7422586c1c93..9c03e34dfa61 100644
--- a/build.gradle
+++ b/build.gradle
@@ -670,6 +670,13 @@ project(':iceberg-delta-lake') {
     }
   }
 
+  configurations.all {
+    resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
+      select("at.yawk.lz4:lz4-java:0")
+      because("Resolve lz4-java capability conflict between Spark 3.5 (org.lz4:lz4-java:1.8.0) and Iceberg (at.yawk.lz4:lz4-java:1.10.2)")
+    }
+  }
+
   // The newest version of delta-core uses Spark 3.5.*. The integration test should only be built
   // if iceberg-spark-3.5 is available
   if (sparkVersions.contains("3.5")) {

From d19e242f5701237cb943fb6c94b591873f404245 Mon Sep 17 00:00:00 2001
From: slfan1989 <slfan1989@apache.org>
Date: Mon, 29 Dec 2025 09:49:22 +0800
Subject: [PATCH 3/4] Bump lz4-java to 1.10.2 for CVE-2025-12183 &
 CVE-2025-66566 fixes.

---
 build.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build.gradle b/build.gradle
index 9c03e34dfa61..607e474ec3f8 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1247,6 +1247,7 @@ subprojects {
       project.name.startsWith('iceberg-kafka-connect')) {
 
     configurations.all {
+      exclude group: 'org.lz4', module: 'lz4-java'
       resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
         select("at.yawk.lz4:lz4-java:0")
         because("Fix lz4-java capability conflict from relocation and CVE fixes")

From 7a7eee97377dbf559203afe3158cf0c3ace2a703 Mon Sep 17 00:00:00 2001
From: slfan1989 <slfan1989@apache.org>
Date: Wed, 31 Dec 2025 05:25:22 +0800
Subject: [PATCH 4/4] Bump lz4-java to 1.10.2 for CVE-2025-12183 &
 CVE-2025-66566 fixes.

---
 build.gradle | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/build.gradle b/build.gradle
index 607e474ec3f8..28173b3583a8 100644
--- a/build.gradle
+++ b/build.gradle
@@ -670,13 +670,6 @@ project(':iceberg-delta-lake') {
     }
   }
 
-  configurations.all {
-    resolutionStrategy.capabilitiesResolution.withCapability("org.lz4:lz4-java") {
-      select("at.yawk.lz4:lz4-java:0")
-      because("Resolve lz4-java capability conflict between Spark 3.5 (org.lz4:lz4-java:1.8.0) and Iceberg (at.yawk.lz4:lz4-java:1.10.2)")
-    }
-  }
-
   // The newest version of delta-core uses Spark 3.5.*. The integration test should only be built
   // if iceberg-spark-3.5 is available
   if (sparkVersions.contains("3.5")) {
@@ -1244,6 +1237,7 @@ project(':iceberg-bom') {
 subprojects {
   if (project.name.startsWith('iceberg-spark') ||
       project.name.startsWith('iceberg-flink') ||
+      project.name.startsWith('iceberg-delta-lake') ||
       project.name.startsWith('iceberg-kafka-connect')) {
 
     configurations.all {