You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by br...@apache.org on 2022/10/18 15:39:23 UTC
[cassandra] 01/01: Merge branch 'cassandra-3.11' into cassandra-4.0
This is an automated email from the ASF dual-hosted git repository.
brandonwilliams pushed a commit to branch cassandra-4.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git
commit 4157e7a8e04655af4553d9003b9cb46897dddc2c
Merge: 488c0c75a8 2e6528542b
Author: Brandon Williams <br...@apache.org>
AuthorDate: Tue Oct 18 10:31:37 2022 -0500
Merge branch 'cassandra-3.11' into cassandra-4.0
.build/dependency-check-suppressions.xml | 7 +++++++
CHANGES.txt | 1 +
2 files changed, 8 insertions(+)
diff --cc .build/dependency-check-suppressions.xml
index 9a84700c64,bd6f90da62..a065089feb
--- a/.build/dependency-check-suppressions.xml
+++ b/.build/dependency-check-suppressions.xml
@@@ -58,4 -46,47 +58,11 @@@
<cve>CVE-2021-43797</cve>
<cve>CVE-2022-24823</cve>
</suppress>
-
- <!-- https://issues.apache.org/jira/browse/CASSANDRA-14183 -->
- <suppress>
- <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
- <cve>CVE-2017-5929</cve>
- </suppress>
- <suppress>
- <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
- <cve>CVE-2017-5929</cve>
- </suppress>
-
- <!-- this was fixed in 3.0.22 -->
- <suppress>
- <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-core@.*$</packageUrl>
- <cve>CVE-2020-13946</cve>
- <cve>CVE-2020-17516</cve>
- <cve>CVE-2021-44521</cve>
- </suppress>
-
- <!-- https://issues.apache.org/jira/browse/CASSANDRA-14760 -->
- <suppress>
- <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
- <cve>CVE-2018-10237</cve>
- <cve>CVE-2020-8908</cve>
- </suppress>
-
- <!-- https://issues.apache.org/jira/browse/CASSANDRA-16606 -->
- <suppress>
- <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
- <cve>CVE-2015-3254</cve>
- <cve>CVE-2016-5397</cve>
- <cve>CVE-2018-1320</cve>
- <cve>CVE-2018-11798</cve>
- <cve>CVE-2019-0205</cve>
- </suppress>
-
+ <!-- https://issues.apache.org/jira/browse/CASSANDRA-17966 -->
+ <suppress>
+ <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+ <cve>CVE-2022-42003</cve>
+ <cve>CVE-2022-42004</cve>
+ </suppress>
+
</suppressions>
diff --cc CHANGES.txt
index 4a85c97c53,cbe38d02b3..213c3fb918
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@@ -1,14 -1,5 +1,15 @@@
-3.11.14
+4.0.7
+ * Remove empty cq4 files in log directory to not fail the startup of BinLog (CASSANDRA-17933)
+ * Fix multiple BufferPool bugs (CASSANDRA-16681)
+ * Fix StorageService.getNativeaddress handling of IPv6 addresses (CASSANDRA-17945)
+ * Mitigate direct buffer memory OOM on replacements (CASSANDRA-17895)
+ * Fix repair failure on assertion if two peers have overlapping mismatching ranges (CASSANDRA-17900)
+ * Better handle null state in Gossip schema migration to avoid NPE (CASSANDRA-17864)
+ * HintedHandoffAddRemoveNodesTest now accounts for the fact that StorageMetrics.totalHints is not updated synchronously w/ writes (CASSANDRA-16679)
+ * Avoid getting hanging repairs due to repair message timeouts (CASSANDRA-17613)
+ * Prevent infinite loop in repair coordinator on FailSession (CASSANDRA-17834)
+Merged from 3.11:
+ * Suppress CVE-2022-42003 and CVE-2022-42004 (CASSANDRA-17966)
* Make LongBufferPoolTest insensitive to timing (CASSANDRA-16681)
* Suppress CVE-2022-25857 and other snakeyaml CVEs (CASSANDRA-17907)
* Fix potential IndexOutOfBoundsException in PagingState in mixed mode clusters (CASSANDRA-17840)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org