You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Mark Denihan (Jira)" <ji...@apache.org> on 2020/08/18 08:30:00 UTC
[jira] [Created] (CASSANDRA-16056) Remove jackson-mapper-asl-1.9.13
to mitigate CVE-2019-10172
Mark Denihan created CASSANDRA-16056:
----------------------------------------
Summary: Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172
Key: CASSANDRA-16056
URL: https://issues.apache.org/jira/browse/CASSANDRA-16056
Project: Cassandra
Issue Type: Bug
Reporter: Mark Denihan
As a Cassandra consumer
I want the jackson-mapper-asl removed
So that I do not suffer risks that are published in that dependency
Swapping the codehause libraries over to jackson-databind resulted in CVE-2019-10172 being mitigated in 3.11. See CASSANDRA-15867;
{code:java}
Author: Stefan Miklosovic <st...@instaclustr.com> 2020-06-13 16:09:00
Committer: Brandon Williams <br...@apache.org> 2020-06-17 17:21:35
Parent: e49853914bd407827093cebf5151db0ebe2eba9e (Merge branch 'cassandra-3.0' into cassandra-3.11)
Child: ac289270f2bb3bb7251319f7f71d6c66a4272db4 (Merge branch 'cassandra-3.0' into cassandra-3.11)
Branches: 3.11.7, cassandra-3.11, remotes/origin/cassandra-3.11, remotes/origin/trunk, trunk
Follows: cassandra-3.11.6
Precedes: cassandra-3.11.7
update Jackson to 2.9.10
Patch by Stefan Miklosovic, reviewed by brandonwilliams for
CASSANDRA-15867
---------------------------------- build.xml ----------------------------------
index 0724dbb29c..25a47335b9 100644
@@ -406,8 +406,9 @@
<dependency groupId="org.slf4j" artifactId="jcl-over-slf4j" version="1.7.7" />
<dependency groupId="ch.qos.logback" artifactId="logback-core" version="1.1.3"/>
<dependency groupId="ch.qos.logback" artifactId="logback-classic" version="1.1.3"/>
- <dependency groupId="org.codehaus.jackson" artifactId="jackson-core-asl" version="1.9.2"/>
- <dependency groupId="org.codehaus.jackson" artifactId="jackson-mapper-asl" version="1.9.2"/>
+ <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core" version="2.9.10"/>
+ <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind" version="2.9.10.4"/>
+ <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations" version="2.9.10"/>
<dependency groupId="com.googlecode.json-simple" artifactId="json-simple" version="1.1"/>
<dependency groupId="com.boundary" artifactId="high-scale-lib" version="1.0.6"/>
<dependency groupId="com.github.jbellis" artifactId="jamm" version="0.3.0"/>
@@ -627,8 +628,9 @@
<dependency groupId="org.slf4j" artifactId="slf4j-api"/>
<dependency groupId="org.slf4j" artifactId="log4j-over-slf4j"/>
<dependency groupId="org.slf4j" artifactId="jcl-over-slf4j"/>
- <dependency groupId="org.codehaus.jackson" artifactId="jackson-core-asl"/>
- <dependency groupId="org.codehaus.jackson" artifactId="jackson-mapper-asl"/>
+ <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core"/>
+ <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind"/>
+ <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations"/>
<dependency groupId="com.googlecode.json-simple" artifactId="json-simple"/>
<dependency groupId="com.boundary" artifactId="high-scale-lib"/>
<dependency groupId="org.yaml" artifactId="snakeyaml"/>
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org