Skip to content

Commit 2d0fda4

Browse files
aratnoaratno
committed
Merge branch 'cassandra-4.0' into cassandra-4.1
* cassandra-4.0: Switch lz4-java to at.yawk.lz4 version due to CVE
2 parents efa0ead + ec3b425 commit 2d0fda4

File tree

3 files changed

+14
-4
lines changed

3 files changed

+14
-4
lines changed

CHANGES.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
* ReadCommandController should close fast to avoid deadlock when building secondary index (CASSANDRA-19564)
44
* Redact security-sensitive information in system_views.settings (CASSANDRA-20856)
55
Merged from 4.0:
6+
* Switch lz4-java to at.yawk.lz4 version due to CVE (CASSANDRA-20152)
67
* Restrict BytesType compatibility to scalar types only (CASSANDRA-20982)
78
* Backport fix to nodetool gcstats output for direct memory (CASSANDRA-21037)
89
* ArrayIndexOutOfBoundsException with repaired data tracking and counters (CASSANDRA-20871)

NEWS.txt

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,8 +51,17 @@ restore snapshots created with the previous major version using the
5151
'sstableloader' tool. You can upgrade the file format of your snapshots
5252
using the provided 'sstableupgrade' tool.
5353

54-
4.1.7
55-
=====
54+
4.1.11
55+
======
56+
57+
Upgrading
58+
---------
59+
- This release addresses a security vulnerability in the LZ4 dependency, documented in CASSANDRA-21052. For users
60+
who did not use LZ4 native libraries, this will now fallback to a safer but less performant pure Java
61+
implementation. During startup, a warning will be logged if the LZ4 native library is not available.
62+
63+
4.0.14
64+
======
5665

5766
Upgrading
5867
---------

build.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -562,7 +562,7 @@
562562
<scm connection="${scm.connection}" developerConnection="${scm.developerConnection}" url="${scm.url}"/>
563563
<dependencyManagement>
564564
<dependency groupId="org.xerial.snappy" artifactId="snappy-java" version="1.1.10.4"/>
565-
<dependency groupId="org.lz4" artifactId="lz4-java" version="1.8.0"/>
565+
<dependency groupId="at.yawk.lz4" artifactId="lz4-java" version="1.10.1"/>
566566
<dependency groupId="com.github.luben" artifactId="zstd-jni" version="1.5.7-2"/>
567567
<dependency groupId="com.google.guava" artifactId="guava" version="27.0-jre">
568568
<exclusion groupId="com.google.code.findbugs" artifactId="jsr305" />
@@ -844,7 +844,7 @@
844844
relativePath="${final.name}-parent.pom"/>
845845
<scm connection="${scm.connection}" developerConnection="${scm.developerConnection}" url="${scm.url}"/>
846846
<dependency groupId="org.xerial.snappy" artifactId="snappy-java"/>
847-
<dependency groupId="org.lz4" artifactId="lz4-java"/>
847+
<dependency groupId="at.yawk.lz4" artifactId="lz4-java"/>
848848
<dependency groupId="com.google.guava" artifactId="guava"/>
849849
<dependency groupId="commons-cli" artifactId="commons-cli"/>
850850
<dependency groupId="commons-codec" artifactId="commons-codec"/>

0 commit comments

Comments
 (0)