Merge branch 'cassandra-4.1' into cassandra-5.0

aratno · aratno · commit 6fd83986e91a · 2025-12-18T10:59:09.000-08:00
* cassandra-4.1: Switch lz4-java to at.yawk.lz4 version due to CVE
diff --git a/.build/cassandra-deps-template.xml b/.build/cassandra-deps-template.xml
@@ -45,7 +45,7 @@
       <artifactId>snappy-java</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.lz4</groupId>
+      <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
     </dependency>
     <dependency>
diff --git a/.build/parent-pom-template.xml b/.build/parent-pom-template.xml
@@ -294,9 +294,9 @@
         <version>1.1.10.4</version>
       </dependency>
       <dependency>
-        <groupId>org.lz4</groupId>
+        <groupId>at.yawk.lz4</groupId>
         <artifactId>lz4-java</artifactId>
-        <version>1.8.0</version>
+        <version>1.10.1</version>
       </dependency>
       <dependency>
         <groupId>com.github.luben</groupId>
@@ -746,7 +746,7 @@
       <dependency>
         <groupId>io.netty</groupId>
         <artifactId>netty-all</artifactId>
-        <version>4.1.119.Final</version>
+        <version>4.1.130.Final</version>
         <exclusions>
           <exclusion>
             <groupId>io.netty</groupId>
@@ -840,18 +840,18 @@
       <dependency>
         <groupId>io.netty</groupId>
         <artifactId>netty-transport-native-epoll</artifactId>
-        <version>4.1.119.Final</version>
+        <version>4.1.130.Final</version>
       </dependency>
       <dependency>
         <groupId>io.netty</groupId>
         <artifactId>netty-transport-native-epoll</artifactId>
-        <version>4.1.119.Final</version>
+        <version>4.1.130.Final</version>
         <classifier>linux-x86_64</classifier>
       </dependency>
       <dependency>
         <groupId>io.netty</groupId>
         <artifactId>netty-transport-native-epoll</artifactId>
-        <version>4.1.119.Final</version>
+        <version>4.1.130.Final</version>
         <classifier>linux-aarch_64</classifier>
       </dependency>
 
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -7,6 +7,7 @@ Merged from 4.1:
  * Disk usage guardrail cannot be disabled when failure threshold is reached (CASSANDRA-21057)
  * ReadCommandController should close fast to avoid deadlock when building secondary index (CASSANDRA-19564)
 Merged from 4.0:
+ * Switch lz4-java to at.yawk.lz4 version due to CVE (CASSANDRA-20152)
  * Restrict BytesType compatibility to scalar types only (CASSANDRA-20982)
  * Backport fix to nodetool gcstats output for direct memory (CASSANDRA-21037)
  * ArrayIndexOutOfBoundsException with repaired data tracking and counters (CASSANDRA-20871)
diff --git a/NEWS.txt b/NEWS.txt
@@ -65,6 +65,15 @@ restore snapshots created with the previous major version using the
 'sstableloader' tool. You can upgrade the file format of your snapshots
 using the provided 'sstableupgrade' tool.
 
+5.0.7
+======
+
+Upgrading
+---------
+    - This release addresses a security vulnerability in the LZ4 dependency, documented in CASSANDRA-21052. For users
+      who did not use LZ4 native libraries, this will now fallback to a safer but less performant pure Java
+      implementation. During startup, a warning will be logged if the LZ4 native library is not available.
+
 5.0.5
 =====
 
