[jira] [Comment Edited] (CASSANDRA-14427) Bump jackson version to >= 2.9.5

Thu, 17 May 2018 22:30:30 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16480188#comment-16480188
 ] 

Jason Brown edited comment on CASSANDRA-14427 at 5/18/18 5:29 AM:
------------------------------------------------------------------

Holy cow, [~Lerh Low]. Thanks for all the background info. Based on that, it 
looks like it is not imperative to upgrade the previous versions of casandra, 
and thus upgrading trunk is sufficient.

+1 on the patch for trunk, and committed as sha 
{{76ef78b7d74972bd235159ca304648ab439fb715}}. Thanks!


was (Author: jasobrown):
Holy cow, [~Lerh Low]. Thanks for all the background info. Based on that, it 
looks like it is not imperative to upgrade the previous versions, and thus 
upgrading trunk is sufficient.

 

+1 on the patch for trunk, and committed as sha 
{{76ef78b7d74972bd235159ca304648ab439fb715}}. Thanks!

> Bump jackson version to >= 2.9.5
> --------------------------------
>
>                 Key: CASSANDRA-14427
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14427
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Lerh Chuan Low
>            Assignee: Lerh Chuan Low
>            Priority: Major
>             Fix For: 4.0
>
>         Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, 
> 3.X-14427.txt, trunk-14427.txt
>
>
> The Jackson being used by Cassandra is really old (1.9.2, and still 
> references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). 
> There have been a few jackson vulnerabilities recently (mostly around 
> deserialization which allows arbitrary code execution)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
>  [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-1327]
>  [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
> Given that Jackson in Cassandra is really old and seems to be used also for 
> reading in values, it looks worthwhile to update Jackson to 2.9.5. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to