You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by br...@apache.org on 2022/09/21 10:57:03 UTC

[cassandra] branch cassandra-4.0 updated (22ec7eee7f -> 756fb41512)

This is an automated email from the ASF dual-hosted git repository.

brandonwilliams pushed a change to branch cassandra-4.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git


    from 22ec7eee7f Mitigate direct buffer memory OOM on replacements
     new 70b0673d85 Supress CVE-2022-25857 et al for snakeyaml
     new 756fb41512 Merge branch 'cassandra-3.11' into cassandra-4.0

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .build/dependency-check-suppressions.xml | 9 +++++++++
 CHANGES.txt                              | 1 +
 2 files changed, 10 insertions(+)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org

[cassandra] 01/01: Merge branch 'cassandra-3.11' into cassandra-4.0

Posted by br...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

brandonwilliams pushed a commit to branch cassandra-4.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git

commit 756fb41512abc090fa22f73e70630b300458ebca
Merge: 22ec7eee7f 70b0673d85
Author: Brandon Williams <br...@apache.org>
AuthorDate: Wed Sep 21 05:48:48 2022 -0500

    Merge branch 'cassandra-3.11' into cassandra-4.0

 .build/dependency-check-suppressions.xml | 9 +++++++++
 CHANGES.txt                              | 1 +
 2 files changed, 10 insertions(+)

diff --cc .build/dependency-check-suppressions.xml
index 5ceca24397,28cbf593bd..9a84700c64
--- a/.build/dependency-check-suppressions.xml
+++ b/.build/dependency-check-suppressions.xml
@@@ -21,26 -21,23 +21,35 @@@
  -->
  <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
      <suppress>
 -        <!--  https://issues.apache.org/jira/browse/CASSANDRA-16150 -->
 +        <!-- not applicable since 4.0 -->
 +        <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-core@.*$</packageUrl>
 +        <cve>CVE-2018-8016</cve>
 +        <cve>CVE-2020-13946</cve>
 +        <cve>CVE-2020-17516</cve>
 +        <cve>CVE-2021-44521</cve>
 +    </suppress>
++    <suppress>
++        <!--  https://issues.apache.org/jira/browse/CASSANDRA-17907 -->
+         <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
 -        <cve>CVE-2017-18640</cve>
+         <cve>CVE-2022-25857</cve>
+         <cve>CVE-2022-38749</cve>
+         <cve>CVE-2022-38750</cve>
+         <cve>CVE-2022-38751</cve>
+         <cve>CVE-2022-38752</cve>
+     </suppress>
 -
 -    <!-- https://issues.apache.org/jira/browse/CASSANDRA-15417 -->
 +    <suppress>
 +        <!-- dependency checker identified this as a completely different package (wire) -->
 +        <packageUrl regex="true">^pkg:maven/net\.openhft/chronicle\-wire@.*$</packageUrl>
 +        <cpe>cpe:/a:wire:wire</cpe>
 +    </suppress>
 +    <suppress>
 +        <!-- not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
 +        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
 +        <cve>CVE-2020-8908</cve>
 +    </suppress>
 +    <!-- netty's http stuff is not applicable here -->
      <suppress>
          <packageUrl regex="true">^pkg:maven/io\.netty/netty\-all@.*$</packageUrl>
 -        <cve>CVE-2019-16869</cve>
 -        <cve>CVE-2019-20444</cve>
 -        <cve>CVE-2019-20445</cve>
 -        <cve>CVE-2020-7238</cve>
          <cve>CVE-2021-21290</cve>
          <cve>CVE-2021-21295</cve>
          <cve>CVE-2021-21409</cve>
diff --cc CHANGES.txt
index 664791f43a,d3031cd294..76c64f2dc9
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@@ -1,46 -1,15 +1,47 @@@
 -3.11.14
 +4.0.7
 + * Mitigate direct buffer memory OOM on replacements (CASSANDRA-17895)
 + * Fix repair failure on assertion if two peers have overlapping mismatching ranges (CASSANDRA-17900)
 + * Better handle null state in Gossip schema migration to avoid NPE (CASSANDRA-17864)
 + * HintedHandoffAddRemoveNodesTest now accounts for the fact that StorageMetrics.totalHints is not updated synchronously w/ writes (CASSANDRA-16679)
 + * Avoid getting hanging repairs due to repair message timeouts (CASSANDRA-17613)
 + * Prevent infinite loop in repair coordinator on FailSession (CASSANDRA-17834)
 +Merged from 3.11:
+  * Suppress CVE-2022-25857 and other snakeyaml CVEs (CASSANDRA-17907)
   * Fix potential IndexOutOfBoundsException in PagingState in mixed mode clusters (CASSANDRA-17840)
 - * Document usage of closed token intervals in manual compaction (CASSANDRA-17575)
 - * Creating of a keyspace on insufficient number of replicas should filter out gosspping-only members (CASSANDRA-17759)
 - * Only use statically defined subcolumns when determining column definition for supercolumn cell (CASSANDRA-14113)
  Merged from 3.0:
   * Fix scrubber falling into infinite loop when the last partition is broken (CASSANDRA-17862)
 + * Fix resetting schema (CASSANDRA-17819)
 +
 +4.0.6
 + * Fix race condition on updating cdc size and advancing to next segment (CASSANDRA-17792)
 + * Add 'noboolean' rpm build for older distros like CentOS7 (CASSANDRA-17765)
 + * Fix default value for compaction_throughput_mb_per_sec in Config class to match  the one in cassandra.yaml (CASSANDRA-17790)
 + * Fix Setting Virtual Table - update after startup config properties gc_log_threshold_in_ms, gc_warn_threshold_in_ms,
 +   conf.index_summary_capacity_in_mb, prepared_statements_cache_size_mb, key_cache_size_in_mb, counter_cache_size_in_mb
 +   (CASSANDRA-17737)
 + * Fix Settings Virtual Table - index_summary_resize_interval and index_summary_capacity were not updated after startup (CASSANDRA-17735)
 + * Clean up ScheduledExecutors, CommitLog, and MessagingService shutdown for in-JVM dtests (CASSANDRA-17731)
 + * Remove extra write to system table for prepared statements (CASSANDRA-17764)
 +Merged from 3.11:
 + * Document usage of closed token intervals in manual compaction (CASSANDRA-17575)
 +Merged from 3.0:
   * Improve libjemalloc resolution in bin/cassandra (CASSANDRA-15767)
   * Fix restarting of services on gossipping-only member (CASSANDRA-17752)
 +
 +4.0.5
 + * Utilise BTree improvements to reduce garbage and improve throughput (CASSANDRA-15511)
 + * Make sure existing delayed tasks in StreamTransferTask cannot prevent clean shutdown (CASSANDRA-17706)
 + * SSL storage port in sstableloader is deprecated (CASSANDRA-17602)
 + * Fix counter write timeouts at ONE (CASSANDRA-17411)
 + * Fix NPE in getLocalPrimaryRangeForEndpoint (CASSANDRA-17680)
 + * Remove SSL storage port from sstableloader (CASSANDRA-17602)
 + * Allow Java 11 to satisfy RPM/Debian packaging (CASSANDRA-17669)
 + * Ensure FileStreamTask cannot compromise shared channel proxy for system table when interrupted (CASSANDRA-17663)
 + * silence benign SslClosedEngineException (CASSANDRA-17565)
 +Merged from 3.11:
 + * Creating of a keyspace on insufficient number of replicas should filter out gosspping-only members (CASSANDRA-17759)
 +Merged from 3.0:
   * Fix writetime and ttl functions forbidden for collections instead of multicell columns (CASSANDRA-17628)
 - * Supress CVE-2020-7238 (CASSANDRA-17697)
   * Fix issue where frozen maps may not be serialized in the correct order (CASSANDRA-17623)
   * Suppress CVE-2022-24823 (CASSANDRA-17633)
   * fsync TOC and digest files (CASSANDRA-10709)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org