fix(security): Override vulnerable lz4-java dependency to address CVE

[sumi-mathew]

Description

Override vulnerable lz4-java dependency to address CVE-2025-12183

Test Plan

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.
• If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade lz4-java to 1.10.2 in response to `CVE-2025-12183 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12183>`_. 

[steveburnett]

Thanks for the release note! Formatting nit:

== RELEASE NOTES ==

Security Changes
* Upgrade lz4-java to 1.10.2 in response to `CVE-2025-12183 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12183>`_. 

[ShahimSharafudeen]

Please run some manual integration tests with Kafka connector after the change since we don't have enough CI tests for this.

[sumi-mathew]

Please run some manual integration tests with Kafka connector after the change since we don't have enough CI tests for this.

Thanks for reviewing the PR. I am attaching the test results.

[ShahimSharafudeen]

Please run some manual integration tests with Kafka connector after the change since we don't have enough CI tests for this.

Thanks for reviewing the PR. I am attaching the test results.

As per the test results, I believe the test scenarios are working as expected. The query results are showing empty because there is no data in the corresponding table in the datasource.

[ShahimSharafudeen]

LGTM..

[imjalpreet]

Thank you, @sumi-mathew.

Changes look good, just one thought, I have seen a couple of PRs fixing this CVE in different modules and I wonder if we can just add this dependency and version to root pom.

[sumi-mathew]

Changes look good, just one thought, I have seen a couple of PRs fixing this CVE in different modules and I wonder if we can just add this dependency and version to root pom.

Thanks for the review!

I agree with the suggestion. Since this CVE is being addressed across multiple modules, it makes sense to add the dependency and version to the root POM. Once these two PRs are merged — #26820
and #26684
— I’ll update the root POM accordingly.

[prestodb-ci]

@imjalpreet imported this issue as lakehouse/presto #26931

[imjalpreet]

Thanks, @sumi-mathew. Just a minor nit, otherwise LGTM.

[imjalpreet]

nit: Let's add the CVE comment here as well.

[imjalpreet]

@sumi-mathew, please rebase on the latest master to trigger a new required check for GPU(prestocpp-linux-build-gpu-engine)

[imjalpreet]

Since this is the root POM, the comment should be generic and refer only to the CVE itself. We don't have to mention Kafka specifically, as the override applies to multiple dependencies, not just Kafka.