This is an automated email from the ASF dual-hosted git repository.
frankgh pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-analytics.git
The following commit(s) were added to refs/heads/trunk by this push:
new d9eda711 CASSANALYTICS-109: Address LZ4 vulnerability (CVE-2025-12183)
(#161)
d9eda711 is described below
commit d9eda711541439c8c44fdd2e87ee99b1e04f509f
Author: Francisco Guerrero <[email protected]>
AuthorDate: Thu Dec 4 16:37:57 2025 -0800
CASSANALYTICS-109: Address LZ4 vulnerability (CVE-2025-12183) (#161)
Patch by Francisco Guerrero; reviewed by Yifan Cai for CASSANALYTICS-109
---
CHANGES.txt | 1 +
cassandra-analytics-core/build.gradle | 2 --
.../apache/cassandra/spark/utils/XXHash32DigestAlgorithm.java | 11 +++++------
3 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/CHANGES.txt b/CHANGES.txt
index 56c088f4..96c200ef 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,5 +1,6 @@
0.2.0
-----
+ * Address LZ4 vulnerability (CVE-2025-12183) (CASSANALYTICS-109)
* Add TimeRangeFilter to filter out SSTables outside given time window
(CASSANALYTICS-102)
* Generated distribution artifacts fix (CASSANALYTICS-105)
* Fix SSTable descriptor mismatch preventing newly produced SSTables from
being uploaded (CASSANALYTICS-98)
diff --git a/cassandra-analytics-core/build.gradle
b/cassandra-analytics-core/build.gradle
index 0114f2ff..259c3252 100644
--- a/cassandra-analytics-core/build.gradle
+++ b/cassandra-analytics-core/build.gradle
@@ -91,8 +91,6 @@ dependencies {
runtimeOnly(group: 'net.java.dev.jna', name: 'jna', version:
"${jnaVersion}")
runtimeOnly(group: 'net.java.dev.jna', name: 'jna-platform', version:
"${jnaVersion}")
- implementation(group: 'org.lz4', name: 'lz4-java', version: '1.8.0') //
for xxhash
-
if ("${scalaMajorVersion}" == "2.11") {
implementation(group: 'org.scala-lang.modules', name:
"scala-java8-compat_2.11", version: '1.0.1', transitive: false)
}
diff --git
a/cassandra-analytics-core/src/main/java/org/apache/cassandra/spark/utils/XXHash32DigestAlgorithm.java
b/cassandra-analytics-core/src/main/java/org/apache/cassandra/spark/utils/XXHash32DigestAlgorithm.java
index e6918b22..82de9e0f 100644
---
a/cassandra-analytics-core/src/main/java/org/apache/cassandra/spark/utils/XXHash32DigestAlgorithm.java
+++
b/cassandra-analytics-core/src/main/java/org/apache/cassandra/spark/utils/XXHash32DigestAlgorithm.java
@@ -24,8 +24,8 @@ import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
-import net.jpountz.xxhash.StreamingXXHash32;
-import net.jpountz.xxhash.XXHashFactory;
+import org.apache.commons.codec.digest.XXHash32;
+
import org.apache.cassandra.spark.common.Digest;
import org.apache.cassandra.spark.common.XXHash32Digest;
@@ -51,9 +51,8 @@ public class XXHash32DigestAlgorithm implements
DigestAlgorithm
public Digest calculateFileDigest(Path path) throws IOException
{
// might have shared hashers with ThreadLocal
- XXHashFactory factory = XXHashFactory.safeInstance();
- try (InputStream inputStream = Files.newInputStream(path);
- StreamingXXHash32 hasher = factory.newStreamingHash32(SEED))
+ XXHash32 hasher = new XXHash32(SEED);
+ try (InputStream inputStream = Files.newInputStream(path))
{
int len;
byte[] buffer = new byte[KIB_512];
@@ -61,7 +60,7 @@ public class XXHash32DigestAlgorithm implements
DigestAlgorithm
{
hasher.update(buffer, 0, len);
}
- return new XXHash32Digest(Integer.toHexString(hasher.getValue()),
SEED);
+ return new XXHash32Digest(Long.toHexString(hasher.getValue()),
SEED);
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
