[
https://issues.apache.org/jira/browse/CASSANALYTICS-109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francisco Guerrero updated CASSANALYTICS-109:
---------------------------------------------
Bug Category: Parent values: Security(12985)
Complexity: Low Hanging Fruit
Component/s: Build
Writer
Discovered By: User Report
Fix Version/s: 0.3
Severity: Normal
Status: Open (was: Triage Needed)
> Address LZ4 vulnerability (CVE-2025-12183)
> ------------------------------------------
>
> Key: CASSANALYTICS-109
> URL: https://issues.apache.org/jira/browse/CASSANALYTICS-109
> Project: Apache Cassandra Analytics
> Issue Type: Bug
> Components: Build, Writer
> Reporter: Francisco Guerrero
> Assignee: Francisco Guerrero
> Priority: Normal
> Fix For: 0.3
>
>
> Analytics uses the org.lz4:lz4-java (v1.8.0) dependency to calculate the
> xxhash. Details of the CVE :
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183 . We
> need to address the issue of the vulnerability. One option is to move the
> dependency to a version that addresses the vulnerability, however there are
> some complications because the library is no longer being maintained by the
> original author and a fork has been created that addresses this issue. An
> alternative approach is to not rely on this dependency and use an alternative
> library (commons-codec for example), similar to what Cassandra Sidecar
> implements.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
