Skip to content

Releases: yawkat/lz4-java

lz4-java v1.11.1

Choose a tag to compare

@yawkat yawkat released this 06 Jul 09:49
dbd86d0

Security release for CVE-2026-59949.

What's Changed

  • Fix docs code block line breaks by @yawkat in #52

Full Changelog: v1.11.0...v1.11.1

lz4-java v1.11.0

Choose a tag to compare

@yawkat yawkat released this 09 Apr 18:00
5049a27

What's Changed

New Contributors

Full Changelog: v1.10.4...v1.11.0

lz4-java v1.10.4

Choose a tag to compare

@yawkat yawkat released this 02 Mar 17:22
de5e4db

What's Changed

  • Tune Linux native build flags and xxhash compilation by @yawkat in #41
  • Fix Linux native flags for non-x86 CI builds by @yawkat in #42

These changes attempt to fix the native performance regression in 1.9+. They should have no functional or security impact.

Full Changelog: v1.10.3...v1.10.4

lz4-java v1.10.3

Choose a tag to compare

@yawkat yawkat released this 21 Jan 13:06
af57e23

What's Changed

New Contributors

Full Changelog: v1.10.2...v1.10.3

lz4-java v1.10.2

Choose a tag to compare

@yawkat yawkat released this 16 Dec 07:49
e3aa42c

What's Changed

New Contributors

Full Changelog: v1.10.1...v1.10.2

lz4-java v1.10.1

Choose a tag to compare

@yawkat yawkat released this 05 Dec 08:35
33d180c

Contains fix for CVE-2025-66566!

What's Changed

  • Add test for corrupted LZ4 block input stream by @Marcono1234 in #7
  • Update documentation for checksum registration by @yawkat in #8
  • Migrate to maven-git-versioning-extension by @yawkat in #10
  • Add workflow_dispatch trigger to multi-platform build to allow testing without release by @yawkat in #13
  • Copy native libraries to target/classes instead of src/resources by @yawkat in #14

Full Changelog: v1.10.0...v1.10.1

lz4-java v1.10.0

Choose a tag to compare

@yawkat yawkat released this 02 Dec 11:34
d2d01a7

This release does not contain security-relevant changes. It was made for #3, so that users of LZ4BlockInputStream can migrate to safeDecompressor() to mitigate the performance impact of the CVE‐2025‐12183 patch. Note that this still requires a change in user code.

What's Changed

New Contributors

Full Changelog: v1.9.0...v1.10.0

lz4-java v1.9.0

Choose a tag to compare

@yawkat yawkat released this 26 Nov 09:01
  • Replace ant-based build with maven (@yawkat)
  • Use multi-platform GitHub actions for native library build (@yawkat)
  • Update lz4 to v1.10.0 (@yawkat)
  • Improve Java implementation bounds checking and tests (@yawkat and @Marcono1234)

Unsafe implementations should be secure now, but are not yet enabled by default.

Full Changelog: v1.8.1...v1.9.0

lz4-java v1.8.1

Choose a tag to compare

@yawkat yawkat released this 26 Nov 08:52

Note: This release is still vulnerable to CVE-2025-66566 which was discovered later. Please upgrade to at.yawk.lz4:lz4-java:1.10.1.

Minimal patch to resolve CVE‐2025‐12183:

  • LZ4Factory.nativeInstance().fastDecompressor() returns the safe Java implementation instead
  • LZ4Factory.unsafeInstance() returns the safe Java implementation instead
  • LZ4Factory.unsafeInsecureInstance() and LZ4Factory.nativeInsecureInstance() are added to provide access to insecure but faster implementations.

User code does not need to be changed for this patch to be effective.

The full diffoscope output can be found here.

org.lz4:lz4-java:1.8.1 is a relocation pom that "redirects" to the new artifact at.yawk.lz4:lz4-java:1.8.1. To avoid issues with gradle, please use only the latter group ID.