From 42cb20795847bfb2042eb8121c77d52f6f8c9299 Mon Sep 17 00:00:00 2001
From: Piotr Nowojski <piotr.nowojski@gmail.com>
Date: Fri, 5 Dec 2025 14:14:50 +0100
Subject: [PATCH] [FLINK-38764] Upgrade lz4 to 1.8.1 due to security
 vulnerability

---
 flink-dist/src/main/resources/META-INF/NOTICE       | 2 +-
 flink-formats/flink-avro-confluent-registry/pom.xml | 4 ++++
 flink-runtime/pom.xml                               | 2 +-
 pom.xml                                             | 4 ++--
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/flink-dist/src/main/resources/META-INF/NOTICE b/flink-dist/src/main/resources/META-INF/NOTICE
index 6854033457692..d0f4cb6fac5dc 100644
--- a/flink-dist/src/main/resources/META-INF/NOTICE
+++ b/flink-dist/src/main/resources/META-INF/NOTICE
@@ -6,6 +6,7 @@ The Apache Software Foundation (http://www.apache.org/).
 
 This project bundles the following dependencies under the Apache Software License 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt)
 
+- at.yawk.lz4:lz4-java:1.8.1
 - com.google.code.findbugs:jsr305:1.3.9
 - com.ververica:frocksdbjni:8.10.0-ververica-1.0
 - com.ververica:forstjni:0.1.8
@@ -17,7 +18,6 @@ This project bundles the following dependencies under the Apache Software Licens
 - org.apache.commons:commons-math3:3.6.1
 - org.apache.commons:commons-text:1.10.0
 - org.javassist:javassist:3.24.0-GA
-- org.lz4:lz4-java:1.8.0
 - org.objenesis:objenesis:3.4
 - org.xerial.snappy:snappy-java:1.1.10.7
 - tools.profiler:async-profiler:2.9
diff --git a/flink-formats/flink-avro-confluent-registry/pom.xml b/flink-formats/flink-avro-confluent-registry/pom.xml
index d483f3a7688b8..65d3ff7c020dc 100644
--- a/flink-formats/flink-avro-confluent-registry/pom.xml
+++ b/flink-formats/flink-avro-confluent-registry/pom.xml
@@ -60,6 +60,10 @@ under the License.
 					<groupId>org.lz4</groupId>
 					<artifactId>lz4-java</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>at.yawk.lz4</groupId>
+					<artifactId>lz4-java</artifactId>
+				</exclusion>
 				<exclusion>
 					<groupId>io.swagger</groupId>
 					<artifactId>swagger-core</artifactId>
diff --git a/flink-runtime/pom.xml b/flink-runtime/pom.xml
index a9242a505b24e..6ec4ed68aca03 100644
--- a/flink-runtime/pom.xml
+++ b/flink-runtime/pom.xml
@@ -238,7 +238,7 @@ under the License.
 
 		<!-- Lz4 compression library -->
 		<dependency>
-			<groupId>org.lz4</groupId>
+			<groupId>at.yawk.lz4</groupId>
 			<artifactId>lz4-java</artifactId>
 		</dependency>
 
diff --git a/pom.xml b/pom.xml
index 630cf47228333..c1c3b3c5139f4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -165,7 +165,7 @@ under the License.
 		<protoc.version>4.32.1</protoc.version>
 		<okhttp.version>3.14.9</okhttp.version>
 		<testcontainers.version>1.20.2</testcontainers.version>
-		<lz4.version>1.8.0</lz4.version>
+		<lz4.version>1.8.1</lz4.version>
 		<commons.io.version>2.15.1</commons.io.version>
 		<japicmp.skip>false</japicmp.skip>
 		<flink.convergence.phase>validate</flink.convergence.phase>
@@ -581,7 +581,7 @@ under the License.
 			</dependency>
 
 			<dependency>
-				<groupId>org.lz4</groupId>
+				<groupId>at.yawk.lz4</groupId>
 				<artifactId>lz4-java</artifactId>
 				<version>${lz4.version}</version>
 			</dependency>