Skip to content

HBASE-29740 Upgrade lz4-java to 1.8.1+ #7513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Apache9 merged 5 commits into from
Dec 6, 2025
Merged

HBASE-29740 Upgrade lz4-java to 1.8.1+ #7513

Apache9 merged 5 commits into from
Dec 6, 2025
+8 −3

Conversation

@liuxiaocs7
Copy link
Contributor

@liuxiaocs7 liuxiaocs7 commented Dec 4, 2025
edited
Loading

@Apache9
Copy link
Contributor

Apache9 commented Dec 4, 2025

The newest version is 1.10.0, and there are some performance issues around the fix, we need to review the code to see if we need to change our code.

@Apache-HBase

This comment has been minimized.

Sign in to view
@Apache-HBase

This comment has been minimized.

Sign in to view
@Apache-HBase

This comment has been minimized.

Sign in to view
@Apache-HBase

This comment has been minimized.

Sign in to view
PDavid
PDavid reviewed Dec 5, 2025
View reviewed changes
@Apache9
Copy link
Contributor

Apache9 commented Dec 5, 2025

Checked the code

https://github.com/yawkat/lz4-java/wiki/1.8.1-diffoscope-output

Seems only fastDecompressor is affected and in our code base, we use safeDecompressor.

So I think we only need to upgrade the version, and there is a new CVE-2025-66566 which is fixed in 1.10.1, so let's upgrade to that version.

@liuxiaocs7 liuxiaocs7 changed the title HBASE-29740 Upgrade lz4-java to 1.8.1 HBASE-29740 Upgrade lz4-java to 1.8.1+ Dec 5, 2025
@liuxiaocs7
Copy link
Contributor Author

liuxiaocs7 commented Dec 5, 2025

Checked the code

https://github.com/yawkat/lz4-java/wiki/1.8.1-diffoscope-output

Seems only fastDecompressor is affected and in our code base, we use safeDecompressor.

So I think we only need to upgrade the version, and there is a new CVE-2025-66566 which is fixed in 1.10.1, so let's upgrade to that version.

Hi, @Apache9, sorry for the late reply, +1 for your comments, already upgraded to the latest 1.10.1, thanks for your help.

@Apache-HBase

This comment has been minimized.

Sign in to view
@Apache-HBase

This comment has been minimized.

Sign in to view
@Apache-HBase
Copy link

Apache-HBase commented Dec 6, 2025

🎊 +1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 0m 29s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
_ master Compile Tests _
+0 🆗 mvndep 0m 22s Maven dependency ordering for branch
+1 💚 mvninstall 3m 33s master passed
+1 💚 compile 8m 39s master passed
+1 💚 spotless 0m 54s branch has no errors when running spotless:check.
_ Patch Compile Tests _
+0 🆗 mvndep 0m 17s Maven dependency ordering for patch
+1 💚 mvninstall 3m 12s the patch passed
+1 💚 compile 8m 32s the patch passed
+1 💚 javac 8m 32s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 xmllint 0m 0s No new issues.
+1 💚 hadoopcheck 14m 4s Patch does not cause any errors with Hadoop 3.3.6 3.4.1.
+1 💚 spotless 0m 49s patch has no errors when running spotless:check.
_ Other Tests _
+1 💚 asflicense 0m 28s The patch does not generate ASF License warnings.
50m 32s
Subsystem Report/Notes
Docker ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-7513/4/artifact/yetus-general-check/output/Dockerfile
GITHUB PR #7513
Optional Tests dupname asflicense javac codespell detsecrets xmllint hadoopcheck spotless compile
uname Linux 26d56407b2cc 5.4.0-1103-aws #111~18.04.1-Ubuntu SMP Tue May 23 20:04:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/hbase-personality.sh
git revision master / f135836
Default Java Eclipse Adoptium-17.0.11+9
Max. process+thread count 188 (vs. ulimit of 30000)
modules C: hbase-compression/hbase-compression-lz4 . U: .
Console output https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-7513/4/console
versions git=2.34.1 maven=3.9.8 xmllint=20913
Powered by Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

@Apache-HBase
Copy link

Apache-HBase commented Dec 6, 2025

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 9m 50s Docker mode activated.
-0 ⚠️ yetus 0m 4s Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --author-ignore-list --blanks-eol-ignore-file --blanks-tabs-ignore-file --quick-hadoopcheck
_ Prechecks _
_ master Compile Tests _
+0 🆗 mvndep 5m 55s Maven dependency ordering for branch
+1 💚 mvninstall 36m 10s master passed
+1 💚 compile 24m 45s master passed
+1 💚 javadoc 20m 21s master passed
+1 💚 shadedjars 7m 27s branch has no errors when building our shaded downstream artifacts.
_ Patch Compile Tests _
+0 🆗 mvndep 0m 16s Maven dependency ordering for patch
+1 💚 mvninstall 26m 9s the patch passed
+1 💚 compile 23m 57s the patch passed
+1 💚 javac 23m 57s the patch passed
+1 💚 javadoc 38m 0s the patch passed
+1 💚 shadedjars 6m 39s patch has no errors when building our shaded downstream artifacts.
_ Other Tests _
-1 ❌ unit 269m 13s /patch-unit-root.txt root in the patch failed.
476m 0s
Subsystem Report/Notes
Docker ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-7513/4/artifact/yetus-jdk17-hadoop3-check/output/Dockerfile
GITHUB PR #7513
Optional Tests javac javadoc unit shadedjars compile
uname Linux be33015d6905 5.4.0-1103-aws #111~18.04.1-Ubuntu SMP Tue May 23 20:04:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/hbase-personality.sh
git revision master / f135836
Default Java Eclipse Adoptium-17.0.11+9
Test Results https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-7513/4/testReport/
Max. process+thread count 4151 (vs. ulimit of 30000)
modules C: hbase-compression/hbase-compression-lz4 . U: .
Console output https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-7513/4/console
versions git=2.34.1 maven=3.9.8
Powered by Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

@Apache9 Apache9 merged commit 688b574 into apache:master Dec 6, 2025
1 check failed
Apache9 pushed a commit that referenced this pull request Dec 6, 2025
@liuxiaocs7 @Apache9
HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
4fd51ab 
Upgrade to 1.10.1 to address both CVE‐2025‐12183 and CVE-2025-66566.

Signed-off-by: Duo Zhang <[email protected]>
(cherry picked from commit 688b574)
Apache9 pushed a commit that referenced this pull request Dec 6, 2025
@liuxiaocs7 @Apache9
HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
f80e0a7 
Upgrade to 1.10.1 to address both CVE‐2025‐12183 and CVE-2025-66566.

Signed-off-by: Duo Zhang <[email protected]>
(cherry picked from commit 688b574)
Apache9 pushed a commit that referenced this pull request Dec 6, 2025
@liuxiaocs7 @Apache9
HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
6bfb797 
Upgrade to 1.10.1 to address both CVE‐2025‐12183 and CVE-2025-66566.

Signed-off-by: Duo Zhang <[email protected]>
(cherry picked from commit 688b574)
Apache9 pushed a commit that referenced this pull request Dec 6, 2025
@liuxiaocs7 @Apache9
HBASE-29740 Upgrade lz4-java to 1.8.1+ (#7513)
a827dd1 
Upgrade to 1.10.1 to address both CVE‐2025‐12183 and CVE-2025-66566.

Signed-off-by: Duo Zhang <[email protected]>
(cherry picked from commit 688b574)
Jaehui-Lee pushed a commit to Jaehui-Lee/hbase that referenced this pull request Dec 11, 2025
@liuxiaocs7 @Jaehui-Lee
HBASE-29740 Upgrade lz4-java to 1.8.1+ (apache#7513)
d7476ea 
Upgrade to 1.10.1 to address both CVE‐2025‐12183 and CVE-2025-66566.

Signed-off-by: Duo Zhang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PDavid PDavid PDavid left review comments

@Apache9 Apache9 Apache9 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@liuxiaocs7 @Apache9 @Apache-HBase @PDavid