From b44ab759bd3d5ef186c2e7c6c0640fbc1de5233b Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Mon, 30 Mar 2026 13:10:20 -0700 Subject: [PATCH 1/3] for 1.10.x --- build.gradle | 7 +++++++ gradle/libs.versions.toml | 2 +- open-api/LICENSE | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 6bc052885fc4..94996052d91c 100644 --- a/build.gradle +++ b/build.gradle @@ -182,6 +182,13 @@ subprojects { exclude group: 'com.sun.jersey' exclude group: 'com.sun.jersey.contribs' exclude group: 'org.pentaho', module: 'pentaho-aggdesigner-algorithm' + + resolutionStrategy { + dependencySubstitution { + substitute module("io.airlift:aircompressor") using module(libs.aircompressor.get().toString()) because("Enforce aircompressor that contains CVE-2025-67721 fix") + } + } + } testArtifacts diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 1cf09cac503b..e7ad8e944a46 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -25,7 +25,7 @@ aliyun-sdk-oss = "3.10.2" analyticsaccelerator = "1.3.0" antlr = "4.9.3" antlr413 = "4.13.1" # For Spark 4.0 support -aircompressor = "0.27" +aircompressor = "2.0.3" apiguardian = "1.1.2" arrow = "15.0.2" avro = "1.12.1" diff --git a/open-api/LICENSE b/open-api/LICENSE index 4ddb9816e797..f57bea14ef65 100644 --- a/open-api/LICENSE +++ b/open-api/LICENSE @@ -391,7 +391,7 @@ License (from POM): Apache License, Version 2.0 - http://apache.org/licenses/LIC -------------------------------------------------------------------------------- -Group: io.airlift Name: aircompressor Version: 0.27 +Group: io.airlift Name: aircompressor Version: 2.0.3 Project URL (from POM): https://github.com/airlift/aircompressor License (from POM): Apache License 2.0 - https://www.apache.org/licenses/LICENSE-2.0.html From a80df0ca5f3c8d5cea1265c7ab4949b152e95a49 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Mon, 30 Mar 2026 13:42:11 -0700 Subject: [PATCH 2/3] fix --- build.gradle | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 94996052d91c..058e845cda84 100644 --- a/build.gradle +++ b/build.gradle @@ -184,11 +184,11 @@ subprojects { exclude group: 'org.pentaho', module: 'pentaho-aggdesigner-algorithm' resolutionStrategy { - dependencySubstitution { - substitute module("io.airlift:aircompressor") using module(libs.aircompressor.get().toString()) because("Enforce aircompressor that contains CVE-2025-67721 fix") - } + def ds = dependencySubstitution + ds.substitute(ds.module("io.airlift:aircompressor")) + .using(ds.module(libs.aircompressor.get().toString())) + .because("Enforce aircompressor that contains CVE-2025-67721 fix") } - } testArtifacts From a496b6c3d0b6760bece14d785139570735cf9bde Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Mon, 30 Mar 2026 17:46:41 -0700 Subject: [PATCH 3/3] fix versions --- kafka-connect/kafka-connect-runtime/hive/LICENSE | 2 +- kafka-connect/kafka-connect-runtime/main/LICENSE | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kafka-connect/kafka-connect-runtime/hive/LICENSE b/kafka-connect/kafka-connect-runtime/hive/LICENSE index 6ba5e807d8a6..a9c07b318fe4 100644 --- a/kafka-connect/kafka-connect-runtime/hive/LICENSE +++ b/kafka-connect/kafka-connect-runtime/hive/LICENSE @@ -777,7 +777,7 @@ License (from POM): BSD 2-Clause license - http://opensource.org/licenses/BSD-2- -------------------------------------------------------------------------------- -Group: io.airlift Name: aircompressor Version: 2.0.2 +Group: io.airlift Name: aircompressor Version: 2.0.3 Project URL (from POM): https://github.com/airlift/aircompressor License (from POM): Apache License 2.0 - https://www.apache.org/licenses/LICENSE-2.0.html diff --git a/kafka-connect/kafka-connect-runtime/main/LICENSE b/kafka-connect/kafka-connect-runtime/main/LICENSE index 1841169f47b6..eec1897e3789 100644 --- a/kafka-connect/kafka-connect-runtime/main/LICENSE +++ b/kafka-connect/kafka-connect-runtime/main/LICENSE @@ -732,7 +732,7 @@ License (from POM): BSD 2-Clause license - http://opensource.org/licenses/BSD-2- -------------------------------------------------------------------------------- -Group: io.airlift Name: aircompressor Version: 2.0.2 +Group: io.airlift Name: aircompressor Version: 2.0.3 Project URL (from POM): https://github.com/airlift/aircompressor License (from POM): Apache License 2.0 - https://www.apache.org/licenses/LICENSE-2.0.html