You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by br...@apache.org on 2022/09/21 10:57:04 UTC

[cassandra] 01/01: Merge branch 'cassandra-3.11' into cassandra-4.0

This is an automated email from the ASF dual-hosted git repository.

brandonwilliams pushed a commit to branch cassandra-4.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git

commit 756fb41512abc090fa22f73e70630b300458ebca
Merge: 22ec7eee7f 70b0673d85
Author: Brandon Williams <br...@apache.org>
AuthorDate: Wed Sep 21 05:48:48 2022 -0500

    Merge branch 'cassandra-3.11' into cassandra-4.0

 .build/dependency-check-suppressions.xml | 9 +++++++++
 CHANGES.txt                              | 1 +
 2 files changed, 10 insertions(+)

diff --cc .build/dependency-check-suppressions.xml
index 5ceca24397,28cbf593bd..9a84700c64
--- a/.build/dependency-check-suppressions.xml
+++ b/.build/dependency-check-suppressions.xml
@@@ -21,26 -21,23 +21,35 @@@
  -->
  <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
      <suppress>
 -        <!--  https://issues.apache.org/jira/browse/CASSANDRA-16150 -->
 +        <!-- not applicable since 4.0 -->
 +        <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-core@.*$</packageUrl>
 +        <cve>CVE-2018-8016</cve>
 +        <cve>CVE-2020-13946</cve>
 +        <cve>CVE-2020-17516</cve>
 +        <cve>CVE-2021-44521</cve>
 +    </suppress>
++    <suppress>
++        <!--  https://issues.apache.org/jira/browse/CASSANDRA-17907 -->
+         <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
 -        <cve>CVE-2017-18640</cve>
+         <cve>CVE-2022-25857</cve>
+         <cve>CVE-2022-38749</cve>
+         <cve>CVE-2022-38750</cve>
+         <cve>CVE-2022-38751</cve>
+         <cve>CVE-2022-38752</cve>
+     </suppress>
 -
 -    <!-- https://issues.apache.org/jira/browse/CASSANDRA-15417 -->
 +    <suppress>
 +        <!-- dependency checker identified this as a completely different package (wire) -->
 +        <packageUrl regex="true">^pkg:maven/net\.openhft/chronicle\-wire@.*$</packageUrl>
 +        <cpe>cpe:/a:wire:wire</cpe>
 +    </suppress>
 +    <suppress>
 +        <!-- not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
 +        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
 +        <cve>CVE-2020-8908</cve>
 +    </suppress>
 +    <!-- netty's http stuff is not applicable here -->
      <suppress>
          <packageUrl regex="true">^pkg:maven/io\.netty/netty\-all@.*$</packageUrl>
 -        <cve>CVE-2019-16869</cve>
 -        <cve>CVE-2019-20444</cve>
 -        <cve>CVE-2019-20445</cve>
 -        <cve>CVE-2020-7238</cve>
          <cve>CVE-2021-21290</cve>
          <cve>CVE-2021-21295</cve>
          <cve>CVE-2021-21409</cve>
diff --cc CHANGES.txt
index 664791f43a,d3031cd294..76c64f2dc9
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@@ -1,46 -1,15 +1,47 @@@
 -3.11.14
 +4.0.7
 + * Mitigate direct buffer memory OOM on replacements (CASSANDRA-17895)
 + * Fix repair failure on assertion if two peers have overlapping mismatching ranges (CASSANDRA-17900)
 + * Better handle null state in Gossip schema migration to avoid NPE (CASSANDRA-17864)
 + * HintedHandoffAddRemoveNodesTest now accounts for the fact that StorageMetrics.totalHints is not updated synchronously w/ writes (CASSANDRA-16679)
 + * Avoid getting hanging repairs due to repair message timeouts (CASSANDRA-17613)
 + * Prevent infinite loop in repair coordinator on FailSession (CASSANDRA-17834)
 +Merged from 3.11:
+  * Suppress CVE-2022-25857 and other snakeyaml CVEs (CASSANDRA-17907)
   * Fix potential IndexOutOfBoundsException in PagingState in mixed mode clusters (CASSANDRA-17840)
 - * Document usage of closed token intervals in manual compaction (CASSANDRA-17575)
 - * Creating of a keyspace on insufficient number of replicas should filter out gosspping-only members (CASSANDRA-17759)
 - * Only use statically defined subcolumns when determining column definition for supercolumn cell (CASSANDRA-14113)
  Merged from 3.0:
   * Fix scrubber falling into infinite loop when the last partition is broken (CASSANDRA-17862)
 + * Fix resetting schema (CASSANDRA-17819)
 +
 +4.0.6
 + * Fix race condition on updating cdc size and advancing to next segment (CASSANDRA-17792)
 + * Add 'noboolean' rpm build for older distros like CentOS7 (CASSANDRA-17765)
 + * Fix default value for compaction_throughput_mb_per_sec in Config class to match  the one in cassandra.yaml (CASSANDRA-17790)
 + * Fix Setting Virtual Table - update after startup config properties gc_log_threshold_in_ms, gc_warn_threshold_in_ms,
 +   conf.index_summary_capacity_in_mb, prepared_statements_cache_size_mb, key_cache_size_in_mb, counter_cache_size_in_mb
 +   (CASSANDRA-17737)
 + * Fix Settings Virtual Table - index_summary_resize_interval and index_summary_capacity were not updated after startup (CASSANDRA-17735)
 + * Clean up ScheduledExecutors, CommitLog, and MessagingService shutdown for in-JVM dtests (CASSANDRA-17731)
 + * Remove extra write to system table for prepared statements (CASSANDRA-17764)
 +Merged from 3.11:
 + * Document usage of closed token intervals in manual compaction (CASSANDRA-17575)
 +Merged from 3.0:
   * Improve libjemalloc resolution in bin/cassandra (CASSANDRA-15767)
   * Fix restarting of services on gossipping-only member (CASSANDRA-17752)
 +
 +4.0.5
 + * Utilise BTree improvements to reduce garbage and improve throughput (CASSANDRA-15511)
 + * Make sure existing delayed tasks in StreamTransferTask cannot prevent clean shutdown (CASSANDRA-17706)
 + * SSL storage port in sstableloader is deprecated (CASSANDRA-17602)
 + * Fix counter write timeouts at ONE (CASSANDRA-17411)
 + * Fix NPE in getLocalPrimaryRangeForEndpoint (CASSANDRA-17680)
 + * Remove SSL storage port from sstableloader (CASSANDRA-17602)
 + * Allow Java 11 to satisfy RPM/Debian packaging (CASSANDRA-17669)
 + * Ensure FileStreamTask cannot compromise shared channel proxy for system table when interrupted (CASSANDRA-17663)
 + * silence benign SslClosedEngineException (CASSANDRA-17565)
 +Merged from 3.11:
 + * Creating of a keyspace on insufficient number of replicas should filter out gosspping-only members (CASSANDRA-17759)
 +Merged from 3.0:
   * Fix writetime and ttl functions forbidden for collections instead of multicell columns (CASSANDRA-17628)
 - * Supress CVE-2020-7238 (CASSANDRA-17697)
   * Fix issue where frozen maps may not be serialized in the correct order (CASSANDRA-17623)
   * Suppress CVE-2022-24823 (CASSANDRA-17633)
   * fsync TOC and digest files (CASSANDRA-10709)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org