[
https://issues.apache.org/jira/browse/CASSANDRA-21052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18042239#comment-18042239
]
Stefan Miklosovic commented on CASSANDRA-21052:
-----------------------------------------------
I think that the way to go here is to write to Cassandra DEV mailing list about
this and what you propose. Any library replacement or introduction has to go
over this process where additional concerns, if any, are discussed and
targeted. We will definitely not resolve this in this ticket, that is for sure.
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: CASSANDRA-21052
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21052
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: PJ Fanning
> Priority: Normal
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fcassandra%20lz4-java&type=code
> (but also affects other Cassandra git repos too - eg
> apache/cassandra-java-driver)
> The fork jar is a drop in replacement (same package name as the original jar)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
