You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cassandra.apache.org by Joe Fasano <jo...@symantec.com> on 2015/03/13 20:22:23 UTC

Question on updating Cassandra dependencies

Hello All,

I have been told by my team that some of the cassandra dependencies have some vulnerabilities and
should be upgraded.  Specifically,
Joda Time 1.6 should be upgraded to 2.7
Jackson 1.9.2 should be upgraded to 1.9.13

Is there any schedule or process of getting Cassandra updates to include updated dependencies?


Thanks,
joe


Joe Fasano
Sr. Development Manager
Symantec Corporation

Re: Question on updating Cassandra dependencies

Posted by Michael Shuler <mi...@pbandjelly.org>.

On 03/13/2015 05:58 PM, Joe Fasano wrote:
> I'm not familiar with opening a JIRA, but would be great to open a general
> incident for updating all dependencies in 3.0.

Just a quick follow up - a JIRA was opened on the topic:

https://issues.apache.org/jira/browse/CASSANDRA-8974

>> On Fri, Mar 13, 2015 at 12:22 PM, Joe Fasano <jo...@symantec.com>
>> wrote:
>>> I have been told by my team that some of the cassandra dependencies have
>>> some vulnerabilities and
>>> should be upgraded. Specifically,
>>> Joda Time 1.6 should be upgraded to 2.7
>>> Jackson 1.9.2 should be upgraded to 1.9.13

As requested on JIRA, please comment on that JIRA ticket with the 
vulnerability details. I also tried to dig around the changelogs of joda 
and jackson and was unable to see what the above statement might refer to.

-- 
Kind regards,
Michael

Re: Question on updating Cassandra dependencies

Posted by Joe Fasano <jo...@symantec.com>.

 From blogs I read that the estimate for release of 3.0 is April 2015.

I'm not familiar with opening a JIRA, but would be great to open a general
incident for updating all dependencies in 3.0.

joe


On 3/13/2015 3:30 PM, Aleksey Yeschenko wrote:
> We don’t upgrade dependencies in minor C* releases, so 2.0 and 2.1 will have to stick to what’s already there.
>
> Feel free to open a JIRA issue for C* 3.0 to deal with upgrading all the dependencies, though. Just don’t create a PR - we cannot accept them. Just leave a comment with a link to your GH branch with the changes in JIRA.
>
> Thanks.
>
> -- 
> AY
>
> On March 13, 2015 at 15:26:47, Paul Brown (paulrbrown@gmail.com) wrote:
>
> Wow. It would be great if the Jackson dep could move up to 2.x. We'd even
> be willing to provide a PR for it.
>
> On Fri, Mar 13, 2015 at 12:22 PM, Joe Fasano <jo...@symantec.com>
> wrote:
>
>> Hello All,
>>   
>> I have been told by my team that some of the cassandra dependencies have
>> some vulnerabilities and
>> should be upgraded. Specifically,
>> Joda Time 1.6 should be upgraded to 2.7
>> Jackson 1.9.2 should be upgraded to 1.9.13
>>   
>> Is there any schedule or process of getting Cassandra updates to include
>> updated dependencies?
>>   
>>   
>> Thanks,
>> joe
>>   
>>   
>> Joe Fasano
>> Sr. Development Manager
>> Symantec Corporation
>>   
>>   
>>

Re: Question on updating Cassandra dependencies

Posted by Aleksey Yeschenko <al...@apache.org>.

We don’t upgrade dependencies in minor C* releases, so 2.0 and 2.1 will have to stick to what’s already there.

Feel free to open a JIRA issue for C* 3.0 to deal with upgrading all the dependencies, though. Just don’t create a PR - we cannot accept them. Just leave a comment with a link to your GH branch with the changes in JIRA.

Thanks.

-- 
AY

On March 13, 2015 at 15:26:47, Paul Brown (paulrbrown@gmail.com) wrote:

Wow. It would be great if the Jackson dep could move up to 2.x. We'd even  
be willing to provide a PR for it.  

On Fri, Mar 13, 2015 at 12:22 PM, Joe Fasano <jo...@symantec.com>  
wrote:  

> Hello All,  
>  
> I have been told by my team that some of the cassandra dependencies have  
> some vulnerabilities and  
> should be upgraded. Specifically,  
> Joda Time 1.6 should be upgraded to 2.7  
> Jackson 1.9.2 should be upgraded to 1.9.13  
>  
> Is there any schedule or process of getting Cassandra updates to include  
> updated dependencies?  
>  
>  
> Thanks,  
> joe  
>  
>  
> Joe Fasano  
> Sr. Development Manager  
> Symantec Corporation  
>  
>  
>

Re: Question on updating Cassandra dependencies

Posted by Paul Brown <pa...@gmail.com>.

Wow.  It would be great if the Jackson dep could move up to 2.x.  We'd even
be willing to provide a PR for it.

On Fri, Mar 13, 2015 at 12:22 PM, Joe Fasano <jo...@symantec.com>
wrote:

> Hello All,
>
> I have been told by my team that some of the cassandra dependencies have
> some vulnerabilities and
> should be upgraded.  Specifically,
> Joda Time 1.6 should be upgraded to 2.7
> Jackson 1.9.2 should be upgraded to 1.9.13
>
> Is there any schedule or process of getting Cassandra updates to include
> updated dependencies?
>
>
> Thanks,
> joe
>
>
> Joe Fasano
> Sr. Development Manager
> Symantec Corporation
>
>
>