[
https://issues.apache.org/jira/browse/CASSANDRA-15590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17040246#comment-17040246
]
David Capwell commented on CASSANDRA-15590:
-------------------------------------------
As far as I can tell, the CVEs are all for http handling, and I can't find any
usage of http handling in the server.
java driver depends on netty (see
https://github.com/datastax/java-driver/blob/4.x/core/pom.xml#L45) but I
wouldn't expect usage of http directly there. The issue with driver is it runs
in user class path so its very possible users don't define their own netty and
use the version provided by the java driver; so seems important to look at this
for client.
> Upgrade io.netty_netty-all dependency to fix security vulnerabilities
> ---------------------------------------------------------------------
>
> Key: CASSANDRA-15590
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15590
> Project: Cassandra
> Issue Type: Task
> Components: Dependencies
> Reporter: Vishwas Vijaya Kumar
> Priority: Normal
>
> Upgrade io.netty_netty-all dependency to fix the following CVEs:
> *
> [CVE-2019-20444|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444]
> *
> [CVE-2019-20445|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445]
> *
> [CVE-2019-16869|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
