CVE-2025-12183 CVE-2025-66566 LZ4 vulnerabilities (#946)

maximthomas · web-flow · commit 375284cfcc89 · 2025-12-09T17:28:46.000+03:00
diff --git a/openam-cassandra/openam-cassandra-datastore/pom.xml b/openam-cassandra/openam-cassandra-datastore/pom.xml
@@ -12,7 +12,7 @@
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions copyright [year] [name of copyright owner]".
  *
- * Copyright 2019 Open Identity Platform Community.
+ * Copyright 2019-2025 3A Systems LLC.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
@@ -35,8 +35,8 @@
 		    <artifactId>java-driver-core</artifactId>
 		</dependency>
 		<dependency>
-		    <groupId>org.lz4</groupId>
-		    <artifactId>lz4-java</artifactId>
+			<groupId>at.yawk.lz4</groupId>
+			<artifactId>lz4-java</artifactId>
 		</dependency>
 		<dependency>
 		    <groupId>org.xerial.snappy</groupId>
diff --git a/openam-cassandra/openam-cassandra-embedded/pom.xml b/openam-cassandra/openam-cassandra-embedded/pom.xml
@@ -12,7 +12,7 @@
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions copyright [year] [name of copyright owner]".
  *
- * Copyright 2019 Open Identity Platform Community.
+ * Copyright 2019-2025 3A Systems LLC.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
@@ -35,6 +35,10 @@
 		    <groupId>org.apache.cassandra</groupId>
 		    <artifactId>cassandra-all</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>at.yawk.lz4</groupId>
+			<artifactId>lz4-java</artifactId>
+		</dependency>
 		<dependency>
 		    <groupId>com.google.guava</groupId>
 		    <artifactId>failureaccess</artifactId>
diff --git a/openam-cassandra/pom.xml b/openam-cassandra/pom.xml
@@ -12,7 +12,7 @@
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions copyright [year] [name of copyright owner]".
  *
- * Copyright 2019 Open Identity Platform Community.
+ * Copyright 2019-2025 3A Systems LLC.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
@@ -50,11 +50,17 @@
 			    <groupId>org.apache.cassandra</groupId>
 			    <artifactId>cassandra-all</artifactId>
 			    <version>4.0.17</version>
+				<exclusions>
+					<exclusion>
+						<groupId>org.lz4</groupId>
+						<artifactId>lz4-java</artifactId>
+					</exclusion>
+				</exclusions>
 			</dependency>
 			<dependency>
-			    <groupId>org.lz4</groupId>
-			    <artifactId>lz4-java</artifactId>
-			    <version>1.8.0</version>
+				<groupId>at.yawk.lz4</groupId>
+				<artifactId>lz4-java</artifactId>
+				<version>1.10.1</version>
 			</dependency>
 			<dependency>
 			    <groupId>org.xerial.snappy</groupId>
