Bump lz4-java to 1.10.2 for CVE-2025-12183 & CVE-2025-66566 fixes.

[slfan1989]

Why are the changes needed?

To fully address two recently disclosed CVEs in lz4-java:

• CVE-2025-12183 (Out-of-bounds read in older versions ≤1.8.0, leading to DoS or info leak). Fixed starting from the community fork (at.yawk.lz4) in 1.8.1 and carried forward.
• CVE-2025-66566 (High severity: Information leak in safe Java decompressor due to insufficient buffer clearing, affecting ≤1.10.0). Explicitly fixed in 1.10.1.

The current version in main (1.10.2) already includes the fix from 1.10.1 and subsequent improvements. This PR ensures we are on the latest patch release to eliminate any vulnerability scanner alerts and benefit from minor bug fixes/performance improvements.

References:

• CVE-2025-12183: https://nvd.nist.gov/vuln/detail/CVE-2025-12183
• CVE-2025-66566: https://nvd.nist.gov/vuln/detail/CVE-2025-66566
• lz4-java releases: https://github.com/yawkat/lz4-java/releases
• Maven Central: https://mvnrepository.com/artifact/at.yawk.lz4/lz4-java

[slfan1989]

@huaxingao Could you please help review this PR? Thank you very much!

[huaxingao]

I’m seeing org.lz4:lz4-java:1.8.0 still present on Spark 3.5/4.0 compileClasspath. Does this need to be fixed too?

[slfan1989]

I’m seeing org.lz4:lz4-java:1.8.0 still present on Spark 3.5/4.0 compileClasspath. Does this need to be fixed too?

Thanks for the review!

You're right — even as a transitive dependency, the vulnerable org.lz4:lz4-java:1.8.0 should be fully excluded to avoid scanner alerts.

I'll update the PR to add a global exclude group: 'org.lz4', module: 'lz4-java' in the root subprojects block (covering Spark, Flink, and Kafka Connect). This will completely remove the old version from all classpaths, while keeping the capability resolution rule as a safety net.

Pushing the change shortly. Thanks again!

[slfan1989]

This is a global exclusion rule. After applying this rule, we can use the following command for validation.

gradlew --parallel \
  -DsparkVersions=4.0 \
  -DscalaVersion=2.13 \
  :iceberg-spark:iceberg-spark-4.0_2.13:dependencies \
  :iceberg-spark:iceberg-spark-extensions-4.0_2.13:dependencies \
  :iceberg-spark:iceberg-spark-runtime-4.0_2.13:dependencies \
  --configuration compileClasspath \
  -Pquick=true \
  --refresh-dependencies|grep "lz4"

The result is as follows:

|    +--- at.yawk.lz4:lz4-java:1.10.2
|    +--- at.yawk.lz4:lz4-java:1.10.2
|    +--- at.yawk.lz4:lz4-java:1.10.2
|    +--- at.yawk.lz4:lz4-java:1.10.2
|    +--- at.yawk.lz4:lz4-java:1.10.2

[slfan1989]

@huaxingao Could you please help review this PR again? Thank you very much!

[huaxingao]

Is this change still needed?

[slfan1989]

Thanks for the review and suggestions! I agree—this part can be removed. I'll make further improvements and update the PR soon.

[singhpk234]

why only these module, shouldn't we doing it for all ?

[slfan1989]

Currently, only a few modules depend on org.lz4:lz4-java. Promoting this dependency to the project level is safe and will improve consistency and standardization in dependency management. I plan to implement this change.

[huaxingao]

Is it better to keep this rule scoped (e.g., Spark/Flink/Kafka Connect) because the vulnerable org.lz4:lz4-java is coming from the Spark/Flink/Kafka dependency trees?

[slfan1989]

@huaxingao Thank you very much for reviewing the code and for the helpful suggestions.

From my perspective, I also lean toward scoping this rule to the relevant components (e.g., Spark / Flink / Kafka Connect), since the current org.lz4:lz4-java vulnerability is primarily introduced via transitive dependencies in the Spark/Flink/Kafka dependency trees. This would help reduce the impact on other unrelated modules.

From my side: +1 to scoping the rule to Spark / Flink / Kafka Connect.

@singhpk234 Can you agree with this improvement?

[slfan1989]

@huaxingao @singhpk234 Could you please take another look at this PR? Thank you very much!

[nastra]

I agree with @singhpk234 here and I think we should override the dependency for all iceberg modules. That way we can't accidentally introduce it anywhere else. Also the changes in L372 for the iceberg-core module won't be necessary

[github-actions]

This pull request has been marked as stale due to 30 days of inactivity. It will be closed in 1 week if no further activity occurs. If you think that’s incorrect or this pull request requires a review, please simply write any comment. If closed, you can revive the PR at any time and @mention a reviewer or discuss it on the dev@iceberg.apache.org list. Thank you for your contributions.

[slfan1989]

@huaxingao @singhpk234 @nastra Could you please take another look at this PR? Thank you very much!

[nastra]

we already have a subprojects section in L124, so better to move this stuff there

[slfan1989]

Makes sense. We already have the Subprojects section at L124, so I’ll move this content there.

[nastra]

what does the :0 do there?

[slfan1989]

what does the :0 do there?

select("at.yawk.lz4:lz4-java:0") tells Gradle to resolve org.lz4:lz4-java capability conflicts by choosing the at.yawk.lz4 variant, while keeping the version decided by the normal dependency graph (1.10.2 here). The :0 is just a required placeholder — it has no real effect on the version chosen.

[nastra]

not sure I understand what "from relocation" refers to. Maybe this should say Enforce lz4-java that contains CVE-X and CVE-Y fixes

[slfan1989]

Thanks for your suggestions—I’ll work on improving this part.