[
https://issues.apache.org/jira/browse/CASSANDRA-8974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14365178#comment-14365178
]
Joe Fasano commented on CASSANDRA-8974:
---------------------------------------
Beyond general dependency updating, here is the feedback I am getting....
For Jackon -
There is no formal CVS yet, but
this version of the Jackson does have a vulnerability. See
http://markmail.org/message/7t76h5svb6snsqck?q=+list:org%2Ecodehaus%2Ejackson%2Eannounce
For Jodatime -
joda-time 1.6 is considered to be EOL under company policy. Anything that was
released over 6 years ago is likely to be considered. It's generally against
company policy to use EOL third party software.
> Need to update to latest dependencies
> -------------------------------------
>
> Key: CASSANDRA-8974
> URL: https://issues.apache.org/jira/browse/CASSANDRA-8974
> Project: Cassandra
> Issue Type: Improvement
> Components: Packaging
> Reporter: Joe Fasano
> Fix For: 3.0
>
>
> Open C* 3.0 to deal with upgrading all the dependencies.
> This is a general issue to update all dependencies.
> Specifically for example, I have been told by my team that some of the
> cassandra dependencies have some security vulnerabilities and should be
> upgraded.
> > Joda Time 1.6 should be upgraded to 2.7
> > Jackson 1.9.2 should be upgraded to 1.9.13
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
