[
https://issues.apache.org/jira/browse/CASSANALYTICS-109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francisco Guerrero updated CASSANALYTICS-109:
---------------------------------------------
Source Control Link:
https://github.com/apache/cassandra-analytics/commit/d9eda711541439c8c44fdd2e87ee99b1e04f509f
Resolution: Fixed
Status: Resolved (was: Ready to Commit)
> Address LZ4 vulnerability (CVE-2025-12183)
> ------------------------------------------
>
> Key: CASSANALYTICS-109
> URL: https://issues.apache.org/jira/browse/CASSANALYTICS-109
> Project: Apache Cassandra Analytics
> Issue Type: Bug
> Components: Build, Writer
> Reporter: Francisco Guerrero
> Assignee: Francisco Guerrero
> Priority: Normal
> Fix For: 0.3
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Analytics uses the org.lz4:lz4-java (v1.8.0) dependency to calculate the
> xxhash. Details of the CVE :
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183 . We
> need to address the issue of the vulnerability. One option is to move the
> dependency to a version that addresses the vulnerability, however there are
> some complications because the library is no longer being maintained by the
> original author and a fork has been created that addresses this issue. An
> alternative approach is to not rely on this dependency and use an alternative
> library (commons-codec for example), similar to what Cassandra Sidecar
> implements.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
