[1.10.x] Fix CVE-2025-67721 in io.airlift:aircompressor

[kevinjqliu]

Backport #15440 for 1.10.x branch

Not a clean backport, had to change resolutionStrategy in build.gradle.
Otherwise:

A problem occurred configuring project ':iceberg-aliyun'.
> Failed to notify project evaluation listener.
   > No signature of method: org.gradle.api.internal.artifacts.ivyservice.resolutionstrategy.DefaultResolutionStrategy.module() is applicable for argument types: (String) values: [io.airlift:aircompressor]
     Possible solutions: dump(), force([Ljava.lang.Object;), force([Ljava.lang.Object;), use([Ljava.lang.Object;)
   > No signature of method: org.gradle.api.internal.artifacts.ivyservice.resolutionstrategy.DefaultResolutionStrategy.module() is applicable for argument types: (String) values: [io.airlift:aircompressor]

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
     Possible solutions: dump(), force([Ljava.lang.Object;), force([Ljava.lang.Object;), use([Ljava.lang.Object;)

Updated LICENSE files to reflect the latest aircompressor version in

• kafka-connect/kafka-connect-runtime/hive/LICENSE
• kafka-connect/kafka-connect-runtime/main/LICENSE
• open-api/LICENSE

[kevinjqliu]

@amogh-jahagirdar mentioned (offline) that we should also backport the LICENSE/NOTICE files changes related to aircompressor from #15449

And there are a lot of changes 😨 :

[huaxingao]

I think the CVE fix is more important. We can have separate PR to backport #15449 if we decide to.

[singhpk234]

since this is a CVE it makes sense to bump the version on minor release. thanks @kevinjqliu

[amogh-jahagirdar]

@amogh-jahagirdar mentioned (offline) that we should also backport the LICENSE/NOTICE files changes related to aircompressor from #15449

No, I just said we should include the version information in kafka connect runtime/hive license just to be consistent with the status quo for the 1.10 branch (specifically bumping the version wherever referenced in the License, I only see 3 places, open API, kafka connect runtime, and kafka connect hive). IMO, we definitley should not backport #15449. I was just using that as refererence to the change that happened on master

[amogh-jahagirdar]

So https://github.com/apache/iceberg/blob/1.10.x/kafka-connect/kafka-connect-runtime/main/LICENSE#L735 and https://github.com/apache/iceberg/blob/1.10.x/kafka-connect/kafka-connect-runtime/hive/LICENSE#L780 also.

I think all the other places where airlift is mentioned it's without a version, which is fine we can leave those as is.

[kevinjqliu]

Thanks! I was confused. I fixed the 3 places where aircompressor is mentioned with a version

• kafka-connect/kafka-connect-runtime/hive/LICENSE
• kafka-connect/kafka-connect-runtime/main/LICENSE
• open-api/LICENSE

[nssalian]

Worth merging soon to patch the CVE

[amogh-jahagirdar]

Thanks @kevinjqliu! and thanks everyone for reviewing