Skip to content

lz4-java vuln remediation 1/23/26 #5567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bdoyle0182 merged 1 commit into from
Jan 23, 2026
Merged

lz4-java vuln remediation 1/23/26 #5567

bdoyle0182 merged 1 commit into from
Jan 23, 2026
+6 −0

Conversation

@bdoyle0182
Copy link
Contributor

@bdoyle0182 bdoyle0182 commented Jan 23, 2026

Description

handles CVE-2025-12183, CVE-2025-66566 by patching lz4-java, a transitive dependency of kafka-clients without doing major upgrade of kafka-clients.

Related issue and scope

  • I opened an issue to propose and discuss this change (#????)

My changes affect the following components

  • API
  • Controller
  • Message Bus (e.g., Kafka)
  • Loadbalancer
  • Scheduler
  • Invoker
  • Intrinsic actions (e.g., sequences, conductors)
  • Data stores (e.g., CouchDB)
  • Tests
  • Deployment
  • CLI
  • General tooling
  • Documentation

Types of changes

  • Bug fix (generally a non-breaking change which closes an issue).
  • Enhancement or new feature (adds new functionality).
  • Breaking change (a bug fix or enhancement which changes existing behavior).

Checklist:

  • I signed an Apache CLA.
  • I reviewed the style guides and followed the recommendations (Travis CI will check :).
  • I added tests to cover my changes.
  • My changes require further changes to the documentation.
  • I updated the documentation where necessary.

dgrove-oss
dgrove-oss approved these changes Jan 23, 2026
View reviewed changes
Copy link
Member

@dgrove-oss dgrove-oss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@bdoyle0182 bdoyle0182 merged commit 3d28212 into apache:master Jan 23, 2026
6 of 7 checks passed
@bdoyle0182 bdoyle0182 deleted the vuln-remediation branch January 23, 2026 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgrove-oss dgrove-oss dgrove-oss approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bdoyle0182 @dgrove-oss