You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Lerh Chuan Low (JIRA)" <ji...@apache.org> on 2018/05/04 00:12:00 UTC
[jira] [Commented] (CASSANDRA-14427) Bump jackson version to >=
2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16463225#comment-16463225 ]
Lerh Chuan Low commented on CASSANDRA-14427:
--------------------------------------------
Turns out the 2.1 tests didn't make it, going to check on it.
> Bump jackson version to >= 2.9.5
> --------------------------------
>
> Key: CASSANDRA-14427
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14427
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Lerh Chuan Low
> Assignee: Lerh Chuan Low
> Priority: Major
> Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, 3.X-14427.txt, trunk-14427.txt
>
>
> The Jackson being used by Cassandra is really old (1.9.2, and still references codehaus (Jackson 1) instead of fasterxml (Jackson 2)).
> There have been a few jackson vulnerabilities recently (mostly around deserialization which allows arbitrary code execution)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
> [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
> [https://nvd.nist.gov/vuln/detail/CVE-2018-1327]
> [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
> Given that Jackson in Cassandra is really old and seems to be used also for reading in values, it looks worthwhile to update Jackson to 2.9.5.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org