HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
Upgrade to 1.10.1 to address both CVE‐2025‐12183 and CVE-2025-66566.
Signed-off-by: Duo Zhang <zhangduo@apache.org>
diff --git a/hbase-compression/hbase-compression-lz4/pom.xml b/hbase-compression/hbase-compression-lz4/pom.xml
index 1e4ff03..69bb74a 100644
--- a/hbase-compression/hbase-compression-lz4/pom.xml
+++ b/hbase-compression/hbase-compression-lz4/pom.xml
@@ -70,7 +70,7 @@
</dependency>
<!-- native Java compression codecs -->
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
</dependency>
<!--Test-->
diff --git a/pom.xml b/pom.xml
index b625897..0fdbd21 100644
--- a/pom.xml
+++ b/pom.xml
@@ -973,7 +973,7 @@
<!-- compression -->
<aircompressor.version>0.27</aircompressor.version>
<brotli4j.version>1.11.0</brotli4j.version>
- <lz4.version>1.8.0</lz4.version>
+ <lz4.version>1.10.1</lz4.version>
<snappy.version>1.1.10.4</snappy.version>
<zstd-jni.version>1.5.7-2</zstd-jni.version>
<!--
@@ -1794,8 +1794,13 @@
<artifactId>aircompressor</artifactId>
<version>${aircompressor.version}</version>
</dependency>
+ <!--
+ The official lz4-java project has been discontinued, we have to move to
+ a community fork for addressing CVE-2025-12183 since 1.8.1+,
+ see: https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
+ -->
<dependency>
- <groupId>org.lz4</groupId>
+ <groupId>at.yawk.lz4</groupId>
<artifactId>lz4-java</artifactId>
<version>${lz4.version}</version>
</dependency>
