You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Stefan Miklosovic (Jira)" <ji...@apache.org> on 2021/09/27 08:19:00 UTC
[jira] [Assigned] (CASSANDRA-16056) Remove
jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172
[ https://issues.apache.org/jira/browse/CASSANDRA-16056?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Miklosovic reassigned CASSANDRA-16056:
---------------------------------------------
Assignee: Stefan Miklosovic
> Remove jackson-mapper-asl-1.9.13 to mitigate CVE-2019-10172
> -----------------------------------------------------------
>
> Key: CASSANDRA-16056
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16056
> Project: Cassandra
> Issue Type: Bug
> Components: Dependencies
> Reporter: Mark Denihan
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 2.2.x, 3.0.x
>
>
> As a Cassandra consumer
> I want the jackson-mapper-asl removed
> So that I do not suffer risks that are published in that dependency
> Swapping the codehause libraries over to jackson-databind resulted in CVE-2019-10172 being mitigated in 3.11. See CASSANDRA-15867;
> {code:java}
> Author: Stefan Miklosovic <st...@instaclustr.com> 2020-06-13 16:09:00
> Committer: Brandon Williams <br...@apache.org> 2020-06-17 17:21:35
> Parent: e49853914bd407827093cebf5151db0ebe2eba9e (Merge branch 'cassandra-3.0' into cassandra-3.11)
> Child: ac289270f2bb3bb7251319f7f71d6c66a4272db4 (Merge branch 'cassandra-3.0' into cassandra-3.11)
> Branches: 3.11.7, cassandra-3.11, remotes/origin/cassandra-3.11, remotes/origin/trunk, trunk
> Follows: cassandra-3.11.6
> Precedes: cassandra-3.11.7
> update Jackson to 2.9.10
>
> Patch by Stefan Miklosovic, reviewed by brandonwilliams for
> CASSANDRA-15867
> ---------------------------------- build.xml ----------------------------------
> index 0724dbb29c..25a47335b9 100644
> @@ -406,8 +406,9 @@
> <dependency groupId="org.slf4j" artifactId="jcl-over-slf4j" version="1.7.7" />
> <dependency groupId="ch.qos.logback" artifactId="logback-core" version="1.1.3"/>
> <dependency groupId="ch.qos.logback" artifactId="logback-classic" version="1.1.3"/>
> - <dependency groupId="org.codehaus.jackson" artifactId="jackson-core-asl" version="1.9.2"/>
> - <dependency groupId="org.codehaus.jackson" artifactId="jackson-mapper-asl" version="1.9.2"/>
> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core" version="2.9.10"/>
> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind" version="2.9.10.4"/>
> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations" version="2.9.10"/>
> <dependency groupId="com.googlecode.json-simple" artifactId="json-simple" version="1.1"/>
> <dependency groupId="com.boundary" artifactId="high-scale-lib" version="1.0.6"/>
> <dependency groupId="com.github.jbellis" artifactId="jamm" version="0.3.0"/>
> @@ -627,8 +628,9 @@
> <dependency groupId="org.slf4j" artifactId="slf4j-api"/>
> <dependency groupId="org.slf4j" artifactId="log4j-over-slf4j"/>
> <dependency groupId="org.slf4j" artifactId="jcl-over-slf4j"/>
> - <dependency groupId="org.codehaus.jackson" artifactId="jackson-core-asl"/>
> - <dependency groupId="org.codehaus.jackson" artifactId="jackson-mapper-asl"/>
> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core"/>
> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind"/>
> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations"/>
> <dependency groupId="com.googlecode.json-simple" artifactId="json-simple"/>
> <dependency groupId="com.boundary" artifactId="high-scale-lib"/>
> <dependency groupId="org.yaml" artifactId="snakeyaml"/>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org