Known vulnerabilities in shared libraries zstd which druid depends on.Can you help upgrade to patch versions?

[HelenParr]

Hi, @fjy , @gianm , I'd like to report a vulnerability issue in org.apache.druid:druid-benchmarks:0.22.1.

Issue Description

org.apache.druid:druid-benchmarks:0.22.1 directly or transitively depends on 59 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that one C library is vulnerable, containing the following CVEs:

libzstd-jni.so from C project zstd(version:1.3.3) exposed 2 vulnerabilities:
CVE-2021-24031, CVE-2019-11922

Suggested Vulnerability Patch Versions

zstd has fixed the vulnerabilities in versions >=1.4.9

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,

[FrankChen021]

According to #11816, it's recommended to upgrade the zstd-jni to 1.5.0-4.

The latest version is 1.5.2-2

[FrankChen021]

I notice that #12408 is also trying to upgrade the zstd-jni dependency. Maybe we can merge that PR once it's ready so that we can save our work to upgrade the dependency in a separate PR.

[FrankChen021]

Closed via #12408