You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Brandon Williams (Jira)" <ji...@apache.org> on 2021/06/11 18:52:00 UTC
[jira] [Updated] (CASSANDRA-16734) Remediate Cassandra 3.11.10 JAR
dependency vulnerabilities
[ https://issues.apache.org/jira/browse/CASSANDRA-16734?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brandon Williams updated CASSANDRA-16734:
-----------------------------------------
Resolution: Invalid
Status: Resolved (was: Triage Needed)
Some of these have already been brought up and resolved as not being relevant, for instance CASSANDRA-16463. In any case we aren't going to upgrade these in blanket fashion, but on a case-by-case basis, so please file tickets for the specific libraries with vulnerabilities that affect the project.
> Remediate Cassandra 3.11.10 JAR dependency vulnerabilities
> -----------------------------------------------------------
>
> Key: CASSANDRA-16734
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16734
> Project: Cassandra
> Issue Type: Improvement
> Components: Dependencies
> Reporter: Daniel Gomez
> Priority: Normal
>
> Several JAR dependencies are flagged in Cassandra 3.11.10 as having vulnerabilities that have been fixed in newer releases.
> The following is the Cassandra 3.11.10 source tree for their JAR dependencies: [https://github.com/apache/cassandra/tree/181a4969290f1c756089b2993a638fe403bc1314/lib]
> A possible fix strategy is to simply update the JARs to their newest version. See the JAR files available for each vulnerable library:
> * SeeĀ [https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.10.8]
> * See [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.65.Final]
> * See [https://mvnrepository.com/artifact/org.apache.thrift/libthrift/0.9.3-1]
> * See [https://mvnrepository.com/artifact/com.thinkaurelius.thrift/thrift-server/0.3.9]
> * See [https://mvnrepository.com/artifact/com.google.guava/guava/30.1.1-jre]
> * See [https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.2.3]
> * See [https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.29]
> * See [https://mvnrepository.com/artifact/commons-codec/commons-codec/1.15]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org