Kafka Connect: Fix CVE-2025-67721 in io.airlift:aircompressor#15440
Kafka Connect: Fix CVE-2025-67721 in io.airlift:aircompressor#15440rmoff wants to merge 2 commits intoapache:mainfrom
Conversation
|
@amogh-jahagirdar would this be a candidate for 1.10.2 release? |
|
@rmoff Yes I would say so, that upgrading airlift to address this CVE is appropriate for a 1.10.2, thanks for bringing it up! I went ahead and added it to the milestone. |
rmoff
force-pushed
the
fix-cve-2025-67721-aircompressor
branch
from
6f42e6b to
a5fc7b2
Compare
Update the central version in libs.versions.toml from 0.27 to 2.0.3 and update the version reference in open-api/LICENSE.
rmoff
force-pushed
the
fix-cve-2025-67721-aircompressor
branch
from
a5fc7b2 to
5302915
Compare
rymurr
left a comment
rymurr
left a comment
There was a problem hiding this comment.
LGTM, I will leave it open for a few days to see if anyone else wants to comment. Will merge on Mon otherwise
kevinjqliu
left a comment
kevinjqliu
left a comment
There was a problem hiding this comment.
i think we need to enforce this globally, following this pattern
Line 198 in 5caeec6
something like
substitute module("io.airlift:aircompressor") using module(libs.aircompressor.get().toString()) because("Enforce aircompressor that contains the CVE-2025-67721 fix")
| antlr = "4.9.3" | ||
| antlr413 = "4.13.1" # For Spark 4.0 support | ||
| aircompressor = "0.27" | ||
| aircompressor = "2.0.3" |
There was a problem hiding this comment.
👍 2.0.3 makes sense
https://mvnrepository.com/artifact/io.airlift/aircompressor
btw we should create a new PR targeting (with the same change) targeting 1.10.x branch |
Add a substitute rule in build.gradle to enforce aircompressor 2.0.3 across all modules, following the same pattern used for lz4-java.
6 participants
Summary
io.airlift:aircompressorto 2.0.3 in the Kafka Connect runtime distribution to fix CVE-2025-67721 (HIGH severity)Closes #15378
Trivy scan (after fix)
Test plan
./gradlew :iceberg-kafka-connect:iceberg-kafka-connect-runtime:dependenciesconfirms allaircompressorpaths resolve to 2.0.3trivy rootfsscan of built distribution shows 0 HIGH/CRITICAL CVEs