Skip to content

[FLINK-38764] Upgrade lz4 to 1.8.1 due to security vulnerability #27326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
pnowojski wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[FLINK-38764] Upgrade lz4 to 1.8.1 due to security vulnerability #27326

pnowojski wants to merge 1 commit into from
+8 −4

Conversation

@pnowojski
Copy link
Contributor

@pnowojski pnowojski commented Dec 5, 2025

What is the purpose of the change

Upgrade lz4 to 1.8.1 due to security vulnerability

Verifying this change

Change should be covered by the existing tests.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): (yes / no)
  • The public API, i.e., is any changed class annotated with @Public(Evolving): (yes / no)
  • The serializers: (yes / no / don't know)
  • The runtime per-record code paths (performance sensitive): (yes / no / don't know)
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: (yes / no / don't know)
  • The S3 file system connector: (yes / no / don't know)

Documentation

  • Does this pull request introduce a new feature? (yes / no)
  • If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)

@pnowojski pnowojski marked this pull request as draft December 5, 2025 13:27
@flinkbot
Copy link
Collaborator

flinkbot commented Dec 5, 2025
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@pnowojski
Copy link
Contributor Author

pnowojski commented Dec 5, 2025
edited
Loading

lz4 1.8.0 is still being pulled from our Kafka connector, via Kafka client 🤔

[INFO] +- org.apache.flink:flink-connector-kafka:jar:3.0.0-1.17:compile
[INFO] |  +- org.apache.flink:flink-connector-base:jar:1.17.0:compile
[INFO] |  \- org.apache.kafka:kafka-clients:jar:3.2.3:compile
[INFO] |     +- com.github.luben:zstd-jni:jar:1.5.2-1:runtime
[INFO] |     \- org.lz4:lz4-java:jar:1.8.0:runtime

Kafka connector is pulled in from examples and in some tests, so on the one hand I think we should be fine just ignoring it until kafka connector upgrades it's own dependency 🤔 But on the other hand I'm worried about dependency convergence if someone tries to use Flink with lz4 1.8.1 with Kafka Connector with lz4 1.8.0.

I'm not 100% sure how to procede here.

I guess we need to fix this problem simultaneously in the two repos, and only the new flink kafka connector versions will be officially compatible with Flink versions released with this change/fix?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pnowojski @flinkbot