Switch lz4-java to at.yawk.lz4 version due to CVE

aratno · aratno · commit ec3b425c38d9 · 2025-12-18T10:51:26.000-08:00
Patch by Abe Ratnofsky; reviewed by Jyothsna Konisa, Dmitry Konstantinov for CASSANDRA-21052
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -1,4 +1,5 @@
 4.0.20
+ * Switch lz4-java to at.yawk.lz4 version due to CVE (CASSANDRA-20152)
  * Restrict BytesType compatibility to scalar types only (CASSANDRA-20982)
  * Backport fix to nodetool gcstats output for direct memory (CASSANDRA-21037)
  * ArrayIndexOutOfBoundsException with repaired data tracking and counters (CASSANDRA-20871)
diff --git a/NEWS.txt b/NEWS.txt
@@ -51,6 +51,15 @@ restore snapshots created with the previous major version using the
 'sstableloader' tool. You can upgrade the file format of your snapshots
 using the provided 'sstableupgrade' tool.
 
+4.0.20
+======
+
+Upgrading
+---------
+    - This release addresses a security vulnerability in the LZ4 dependency, documented in CASSANDRA-21052. For users
+      who did not use LZ4 native libraries, this will now fallback to a safer but less performant pure Java
+      implementation. During startup, a warning will be logged if the LZ4 native library is not available.
+
 4.0.14
 ======
 
diff --git a/build.xml b/build.xml
@@ -546,7 +546,7 @@
         <scm connection="${scm.connection}" developerConnection="${scm.developerConnection}" url="${scm.url}"/>
         <dependencyManagement>
           <dependency groupId="org.xerial.snappy" artifactId="snappy-java" version="1.1.10.4"/>
-          <dependency groupId="org.lz4" artifactId="lz4-java" version="1.8.0"/>
+          <dependency groupId="at.yawk.lz4" artifactId="lz4-java" version="1.10.1"/>
           <dependency groupId="com.github.luben" artifactId="zstd-jni" version="1.5.7-2"/>
           <dependency groupId="com.google.guava" artifactId="guava" version="27.0-jre">
             <exclusion groupId="com.google.code.findbugs" artifactId="jsr305" />
@@ -805,7 +805,7 @@
                 relativePath="${final.name}-parent.pom"/>
         <scm connection="${scm.connection}" developerConnection="${scm.developerConnection}" url="${scm.url}"/>
         <dependency groupId="org.xerial.snappy" artifactId="snappy-java"/>
-        <dependency groupId="org.lz4" artifactId="lz4-java"/>
+        <dependency groupId="at.yawk.lz4" artifactId="lz4-java"/>
         <dependency groupId="com.google.guava" artifactId="guava"/>
         <dependency groupId="commons-cli" artifactId="commons-cli"/>
         <dependency groupId="commons-codec" artifactId="commons-codec"/>

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`4.0.20`
	`2`	`+ * Switch lz4-java to at.yawk.lz4 version due to CVE (CASSANDRA-20152)`
`2`	`3`	`* Restrict BytesType compatibility to scalar types only (CASSANDRA-20982)`
`3`	`4`	`* Backport fix to nodetool gcstats output for direct memory (CASSANDRA-21037)`
`4`	`5`	`* ArrayIndexOutOfBoundsException with repaired data tracking and counters (CASSANDRA-20871)`