[CELEBORN-2218] Bump lz4-java version from 1.8.0 to 1.10.1 to resolve CVE‐2025‐12183 and CVE-2025-66566

SteNicholas · SteNicholas · commit fc23474b78b8 · 2025-12-15T10:46:28.000+08:00
diff --git a/client-mr/mr-shaded/pom.xml b/client-mr/mr-shaded/pom.xml
@@ -64,8 +64,8 @@
               <shadedPattern>${shading.prefix}.org.scala-lang</shadedPattern>
             </relocation>
             <relocation>
-              <pattern>org.lz4</pattern>
-              <shadedPattern>${shading.prefix}.org.lz4</shadedPattern>
+              <pattern>at.yawk.lz4</pattern>
+              <shadedPattern>${shading.prefix}.at.yawk.lz4</shadedPattern>
             </relocation>
             <relocation>
               <pattern>org.roaringbitmap</pattern>
@@ -81,7 +81,7 @@
               <include>io.netty:*</include>
               <include>org.apache.commons:commons-lang3</include>
               <include>org.scala-lang:scala-library</include>
-              <include>org.lz4:lz4-java</include>
+              <include>at.yawk.lz4:lz4-java</include>
               <include>com.github.luben:zstd-jni</include>
               <include>org.roaringbitmap:RoaringBitmap</include>
             </includes>
diff --git a/client-mr/mr-shaded/src/main/resources/META-INF/LICENSE b/client-mr/mr-shaded/src/main/resources/META-INF/LICENSE
@@ -208,6 +208,7 @@ This project bundles the following dependencies under the Apache License 2.0 (ht
 Apache License 2.0
 --------------------------------------
 
+at.yawk.lz4:lz4-java
 com.google.guava:failureaccess
 com.google.guava:guava
 io.netty:netty
@@ -240,7 +241,6 @@ io.netty:netty-transport-rxtx
 io.netty:netty-transport-sctp
 io.netty:netty-transport-udt
 org.apache.commons:commons-lang3
-org.lz4:lz4-java
 org.roaringbitmap:RoaringBitmap
 org.scala-lang:scala-library
 
diff --git a/client-tez/tez-shaded/pom.xml b/client-tez/tez-shaded/pom.xml
@@ -94,7 +94,7 @@
               <include>org.roaringbitmap:RoaringBitmap</include>
               <include>org.scala-lang:scala-library</include>
               <include>org.scala-lang:scala-reflect</include>
-              <include>org.lz4:lz4-java</include>
+              <include>at.yawk.lz4:lz4-java</include>
               <include>io.dropwizard.metrics:metrics-core</include>
               <include>com.codahale.metrics:metrics-core</include>
               <include>com.github.luben:zstd-jni</include>
diff --git a/client-tez/tez-shaded/src/main/resources/META-INF/LICENSE b/client-tez/tez-shaded/src/main/resources/META-INF/LICENSE
@@ -208,6 +208,7 @@ This project bundles the following dependencies under the Apache License 2.0 (ht
 Apache License 2.0
 --------------------------------------
 
+at.yawk.lz4:lz4-java
 com.google.guava:failureaccess
 com.google.guava:guava
 io.netty:netty
@@ -240,7 +241,6 @@ io.netty:netty-transport-rxtx
 io.netty:netty-transport-sctp
 io.netty:netty-transport-udt
 org.apache.commons:commons-lang3
-org.lz4:lz4-java
 org.roaringbitmap:RoaringBitmap
 org.scala-lang:scala-library
 
diff --git a/client/pom.xml b/client/pom.xml
@@ -51,7 +51,7 @@
       <artifactId>guava</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.lz4</groupId>
+      <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
     </dependency>
     <dependency>
diff --git a/dev/deps/dependencies-client-flink-1.16 b/dev/deps/dependencies-client-flink-1.16
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-1.17 b/dev/deps/dependencies-client-flink-1.17
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-1.18 b/dev/deps/dependencies-client-flink-1.18
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-1.19 b/dev/deps/dependencies-client-flink-1.19
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-1.20 b/dev/deps/dependencies-client-flink-1.20
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-2.0 b/dev/deps/dependencies-client-flink-2.0
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
 metrics-jvm/4.2.25//metrics-jvm-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-2.1 b/dev/deps/dependencies-client-flink-2.1
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
 metrics-jvm/4.2.25//metrics-jvm-4.2.25.jar
diff --git a/dev/deps/dependencies-client-flink-2.2 b/dev/deps/dependencies-client-flink-2.2
@@ -32,7 +32,7 @@ jcl-over-slf4j/1.7.36//jcl-over-slf4j-1.7.36.jar
 jsr305/1.3.9//jsr305-1.3.9.jar
 jul-to-slf4j/1.7.36//jul-to-slf4j-1.7.36.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
 metrics-jvm/4.2.25//metrics-jvm-4.2.25.jar
diff --git a/dev/deps/dependencies-client-mr b/dev/deps/dependencies-client-mr
@@ -134,7 +134,7 @@ kerby-xdr/1.0.1//kerby-xdr-1.0.1.jar
 kotlin-stdlib-common/1.4.10//kotlin-stdlib-common-1.4.10.jar
 kotlin-stdlib/1.4.10//kotlin-stdlib-1.4.10.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-client-tez b/dev/deps/dependencies-client-tez
@@ -107,7 +107,7 @@ kerby-util/1.0.1//kerby-util-1.0.1.jar
 kerby-xdr/1.0.1//kerby-xdr-1.0.1.jar
 leveldbjni-all/1.8//leveldbjni-all-1.8.jar
 log4j/1.2.17//log4j-1.2.17.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/dev/deps/dependencies-server b/dev/deps/dependencies-server
@@ -79,7 +79,7 @@ log4j-1.2-api/2.24.3//log4j-1.2-api-2.24.3.jar
 log4j-api/2.24.3//log4j-api-2.24.3.jar
 log4j-core/2.24.3//log4j-core-2.24.3.jar
 log4j-slf4j-impl/2.24.3//log4j-slf4j-impl-2.24.3.jar
-lz4-java/1.8.0//lz4-java-1.8.0.jar
+lz4-java/1.10.1//lz4-java-1.10.1.jar
 maven-jdk-tools-wrapper/0.1//maven-jdk-tools-wrapper-0.1.jar
 metrics-core/4.2.25//metrics-core-4.2.25.jar
 metrics-graphite/4.2.25//metrics-graphite-4.2.25.jar
diff --git a/pom.xml b/pom.xml
@@ -91,7 +91,7 @@
     <leveldb.version>1.8</leveldb.version>
     <log4j2.version>2.24.3</log4j2.version>
     <disruptor.version>3.4.4</disruptor.version>
-    <lz4-java.version>1.8.0</lz4-java.version>
+    <lz4-java.version>1.10.1</lz4-java.version>
     <mockito.version>4.11.0</mockito.version>
     <mockito-scalatest.version>1.17.14</mockito-scalatest.version>
     <netty.version>4.1.118.Final</netty.version>
@@ -440,11 +440,6 @@
         <artifactId>leveldbjni-all</artifactId>
         <version>${leveldb.version}</version>
       </dependency>
-      <dependency>
-        <groupId>org.lz4</groupId>
-        <artifactId>lz4-java</artifactId>
-        <version>${lz4-java.version}</version>
-      </dependency>
       <dependency>
         <groupId>com.github.luben</groupId>
         <artifactId>zstd-jni</artifactId>
@@ -1415,6 +1410,38 @@
         <aliyun-deps>true</aliyun-deps>
       </properties>
     </profile>
+    <profile>
+      <id>at-yawk-lz4</id>
+      <activation>
+        <property>
+          <name>lz4-java.version</name>
+          <value>[1.10.1,)</value>
+        </property>
+      </activation>
+      <dependencies>
+        <dependency>
+          <groupId>at.yawk.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+          <version>${lz4-java.version}</version>
+        </dependency>
+      </dependencies>
+    </profile>
+    <profile>
+      <id>org-lz4</id>
+      <activation>
+        <property>
+          <name>lz4-java.version</name>
+          <value>[1.4.0,1.10.0]</value>
+        </property>
+      </activation>
+      <dependencies>
+        <dependency>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+          <version>${lz4-java.version}</version>
+        </dependency>
+      </dependencies>
+    </profile>
     <profile>
       <id>spark-2.4</id>
       <modules>
diff --git a/project/CelebornBuild.scala b/project/CelebornBuild.scala
@@ -38,7 +38,8 @@ import CelebornCommonSettings._
 object Dependencies {
 
   val zstdJniVersion = sparkClientProjects.map(_.zstdJniVersion).getOrElse("1.5.7-1")
-  val lz4JavaVersion = sparkClientProjects.map(_.lz4JavaVersion).getOrElse("1.8.0")
+  val lz4JavaGroup = sparkClientProjects.map(_.lz4JavaGroup).getOrElse("at.yawk.lz4")
+  val lz4JavaVersion = sparkClientProjects.map(_.lz4JavaVersion).getOrElse("1.10.1")
 
   // Dependent library versions
   val apLoaderVersion = "4.0-10"
@@ -152,7 +153,7 @@ object Dependencies {
   val log4j12Api = "org.apache.logging.log4j" % "log4j-1.2-api" % log4j2Version
   val log4jSlf4jImpl = "org.apache.logging.log4j" % "log4j-slf4j-impl" % log4j2Version
   val disruptor = "com.lmax" % "disruptor" % disruptorVersion
-  val lz4Java = "org.lz4" % "lz4-java" % lz4JavaVersion
+  val lz4Java = lz4JavaGroup % "lz4-java" % lz4JavaVersion
   val protobufJava = "com.google.protobuf" % "protobuf-java" % protoVersion
   val ratisClient = "org.apache.ratis" % "ratis-client" % ratisVersion
   val ratisCommon = "org.apache.ratis" % "ratis-common" % ratisVersion
@@ -946,6 +947,7 @@ trait SparkClientProjects {
   val sparkClientShadedProjectPath: String
   val sparkClientShadedProjectName: String
 
+  val lz4JavaGroup: String = "org.lz4"
   val lz4JavaVersion: String
   val sparkProjectScalaVersion: String
   val sparkVersion: String
