Skip to content

fix(security): Override vulnerable lz4-java dependency to address CVE#26931

Open
sumi-mathew wants to merge 1 commit intoprestodb:masterfrom
sumi-mathew:cve_lz4
Open

fix(security): Override vulnerable lz4-java dependency to address CVE#26931
sumi-mathew wants to merge 1 commit intoprestodb:masterfrom
sumi-mathew:cve_lz4

Conversation

@sumi-mathew
Copy link
Contributor

@sumi-mathew sumi-mathew commented Jan 9, 2026
edited
Loading

Description

Override vulnerable lz4-java dependency to address CVE-2025-12183

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.
  • If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade lz4-java to 1.10.2 in response to `CVE-2025-12183 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12183>`_.

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Jan 9, 2026
@sumi-mathew sumi-mathew changed the title fix(security): Override vulnerable lz4-java dependency to address CVE… fix(security): Override vulnerable lz4-java dependency to address CVE Jan 9, 2026
@sumi-mathew sumi-mathew marked this pull request as ready for review January 9, 2026 10:50
@sumi-mathew sumi-mathew requested a review from a team as a code owner January 9, 2026 10:50
@prestodb-ci prestodb-ci requested review from a team, ShahimSharafudeen and xin-zhang2 and removed request for a team January 9, 2026 10:50
@steveburnett
Copy link
Contributor

steveburnett commented Jan 9, 2026

Thanks for the release note! Formatting nit:

== RELEASE NOTES ==

Security Changes
* Upgrade lz4-java to 1.10.2 in response to `CVE-2025-12183 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12183>`_.

ShahimSharafudeen
ShahimSharafudeen reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@ShahimSharafudeen ShahimSharafudeen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please run some manual integration tests with Kafka connector after the change since we don't have enough CI tests for this.

@sumi-mathew
Copy link
Contributor Author

sumi-mathew commented Jan 14, 2026

Please run some manual integration tests with Kafka connector after the change since we don't have enough CI tests for this.

Thanks for reviewing the PR. I am attaching the test results.

Screenshot 2026-01-14 at 3 09 33 PM

@ShahimSharafudeen
Copy link
Contributor

ShahimSharafudeen commented Jan 14, 2026

Please run some manual integration tests with Kafka connector after the change since we don't have enough CI tests for this.

Thanks for reviewing the PR. I am attaching the test results.

Screenshot 2026-01-14 at 3 09 33 PM

As per the test results, I believe the test scenarios are working as expected. The query results are showing empty because there is no data in the corresponding table in the datasource.

ShahimSharafudeen
ShahimSharafudeen approved these changes Jan 14, 2026
View reviewed changes
Copy link
Contributor

@ShahimSharafudeen ShahimSharafudeen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM..

imjalpreet
imjalpreet reviewed Jan 15, 2026
View reviewed changes
Copy link
Member

@imjalpreet imjalpreet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @sumi-mathew.

Changes look good, just one thought, I have seen a couple of PRs fixing this CVE in different modules and I wonder if we can just add this dependency and version to root pom.

@sumi-mathew
Copy link
Contributor Author

sumi-mathew commented Jan 15, 2026

Changes look good, just one thought, I have seen a couple of PRs fixing this CVE in different modules and I wonder if we can just add this dependency and version to root pom.

Thanks for the review!

I agree with the suggestion. Since this CVE is being addressed across multiple modules, it makes sense to add the dependency and version to the root POM. Once these two PRs are merged — #26820
and #26684
— I’ll update the root POM accordingly.

@prestodb-ci
Copy link
Contributor

prestodb-ci commented Jan 15, 2026

@imjalpreet imported this issue as lakehouse/presto #26931

@sumi-mathew sumi-mathew force-pushed the cve_lz4 branch 2 times, most recently from 33998ab to 72a8fbd Compare February 25, 2026 10:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xin-zhang2 xin-zhang2 Awaiting requested review from xin-zhang2 xin-zhang2 was automatically assigned from prestodb/ibm-reviewers

@agrawalreetika agrawalreetika Awaiting requested review from agrawalreetika

@imjalpreet imjalpreet Awaiting requested review from imjalpreet

1 more reviewer

@ShahimSharafudeen ShahimSharafudeen ShahimSharafudeen approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

from:IBM PR from IBM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sumi-mathew @steveburnett @ShahimSharafudeen @prestodb-ci @imjalpreet