Skip to content

[FLINK-38764] Upgrade lz4 to 1.8.1 due to security vulnerability #27326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
pnowojski wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[FLINK-38764] Upgrade lz4 to 1.8.1 due to security vulnerability #27326

pnowojski wants to merge 1 commit into from
+8 −4

Conversation

@pnowojski
Copy link
Contributor

@pnowojski pnowojski commented Dec 5, 2025

What is the purpose of the change

Upgrade lz4 to 1.8.1 due to security vulnerability

Verifying this change

Change should be covered by the existing tests.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): (yes / no)
  • The public API, i.e., is any changed class annotated with @Public(Evolving): (yes / no)
  • The serializers: (yes / no / don't know)
  • The runtime per-record code paths (performance sensitive): (yes / no / don't know)
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: (yes / no / don't know)
  • The S3 file system connector: (yes / no / don't know)

Documentation

  • Does this pull request introduce a new feature? (yes / no)
  • If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)

@pnowojski pnowojski marked this pull request as draft December 5, 2025 13:27
@flinkbot
Copy link
Collaborator

flinkbot commented Dec 5, 2025
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@pnowojski
Copy link
Contributor Author

pnowojski commented Dec 5, 2025
edited
Loading

lz4 1.8.0 is still being pulled from our Kafka connector, via Kafka client 🤔

[INFO] +- org.apache.flink:flink-connector-kafka:jar:3.0.0-1.17:compile
[INFO] |  +- org.apache.flink:flink-connector-base:jar:1.17.0:compile
[INFO] |  \- org.apache.kafka:kafka-clients:jar:3.2.3:compile
[INFO] |     +- com.github.luben:zstd-jni:jar:1.5.2-1:runtime
[INFO] |     \- org.lz4:lz4-java:jar:1.8.0:runtime

Kafka connector is pulled in from examples and in some tests, so on the one hand I think we should be fine just ignoring it until kafka connector upgrades it's own dependency 🤔 But on the other hand I'm worried about dependency convergence if someone tries to use Flink with lz4 1.8.1 with Kafka Connector with lz4 1.8.0.

I'm not 100% sure how to procede here.

I guess we need to fix this problem simultaneously in the two repos, and only the new flink kafka connector versions will be officially compatible with Flink versions released with this change/fix?

Savonitar
Savonitar reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

@Savonitar Savonitar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thank you for fixing this.

flink-dist/src/main/resources/META-INF/NOTICE

This project bundles the following dependencies under the Apache Software License 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt)

- at.yawk.lz4:lz4-java:1.8.1
Copy link
Contributor

@Savonitar Savonitar Dec 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Btw, upstream Apache Kafka (in trunk) has already migrated to the at.yawk fork and is currently using version 1.10.1

Since the Kafka connector will eventually depend on newer Kafka clients (which use 1.10.x), maybe it is safer to align directly with 1.10.1 instead of 1.8.1?

@github-actions github-actions bot added the community-reviewed PR has been reviewed by the community. label Dec 10, 2025
@pjfanning
Copy link
Member

pjfanning commented Dec 15, 2025

Can we go to 1.10.1 because another CVE was reported - CVE-2025-66566

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Savonitar Savonitar Savonitar left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

community-reviewed PR has been reviewed by the community.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pnowojski @flinkbot @pjfanning @Savonitar