jmc icon indicating copy to clipboard operation
jmc copied to clipboard
verified publisher icon openjdk

8481: Update lz4-java to 1.10.1

Open aptmac opened this issue 2 months ago • 8 comments

There's currently a security advisory open for the version of lz4-java we are using. lz4-java had been archived, but has been updated by a new maintainer with a fix for the security issue.

See: https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q

Progress

  • [x] Commit message must refer to an issue
  • [ ] Change must be properly reviewed (1 review required, with at least 1 Committer)

Issue

  • JMC-8481: Update lz4-java to 1.10.1 (Bug - P4)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jmc.git pull/694/head:pull/694
$ git checkout pull/694

Update a local copy of the PR:
$ git checkout pull/694
$ git pull https://git.openjdk.org/jmc.git pull/694/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 694

View PR using the GUI difftool:
$ git pr show -t 694

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jmc/pull/694.diff

Using Webrev

Link to Webrev Comment

aptmac avatar Dec 12 '25 15:12 aptmac

:wave: Welcome back aptmac! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

bridgekeeper[bot] avatar Dec 12 '25 15:12 bridgekeeper[bot]

❗ This change is not yet ready to be integrated. See the Progress checklist in the description for automated requirements.

openjdk[bot] avatar Dec 12 '25 15:12 openjdk[bot]

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

openjdk[bot] avatar Dec 12 '25 15:12 openjdk[bot]

Webrevs

mlbridge[bot] avatar Dec 12 '25 15:12 mlbridge[bot]

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

openjdk[bot] avatar Dec 12 '25 19:12 openjdk[bot]

@aptmac Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

openjdk[bot] avatar Dec 12 '25 19:12 openjdk[bot]

Will have to go back over this one, looks like the test case isn't able to find the lz4-java class that we're trying to use:

  NotificationModelTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationModelTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationTriggerAndRuleTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationTriggerAndRuleTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream
  NotificationTriggerAndRuleTest>RjmxTestCase.mcTestCaseBefore:288->RjmxTestCase.createDefaultServerDesciptor:194 � NoClassDefFound net/jpountz/lz4/LZ4FrameInputStream

aptmac avatar Dec 12 '25 21:12 aptmac

Hm, taking a look at the jar that's pulled in from maven central, the packages aren't exported:

Manifest-Version: 1.0
Automatic-Module-Name: org.lz4.java
Build-Jdk-Spec: 21
Bundle-ManifestVersion: 2
Bundle-Name: lz4-java
Bundle-SymbolicName: lz4-java
Bundle-Version: 0
Import-Package: java.io,java.lang,java.lang.reflect,java.nio,java.util
 ,java.util.zip,sun.misc
Originally-Created-By: Maven JAR Plugin 3.4.1
Private-Package: net.jpountz.lz4,net.jpountz.util,net.jpountz.util.dar
 win.aarch64,net.jpountz.util.darwin.x86_64,net.jpountz.util.linux.aar
 ch64,net.jpountz.util.linux.amd64,net.jpountz.util.linux.i386,net.jpo
 untz.util.linux.ppc64le,net.jpountz.util.linux.s390x,net.jpountz.util
 .win32.amd64,net.jpountz.xxhash
Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"

Edit: that require-capability on java 7 is also kind of suspicious

aptmac avatar Dec 12 '25 22:12 aptmac

I contributed a PR to the new lz4-java repo, which should fix the package exports: https://github.com/yawkat/lz4-java/pull/28

Will need to check back here once it's released and verify that it actually works.

aptmac avatar Dec 16 '25 15:12 aptmac