[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17134464#comment-17134464 ]
Brandon Williams commented on CASSANDRA-15867: ---------------------------------------------- I would say if we fix it in one branch, but another is also vulnerable for the same reason, we should fix it there too. > This holds for more dependencies, what is the general approach here? I would take it on a case-by-case basis. I looked into the Jackson vulnerability and it does seem to be exploitable for us (though I don't know why users would DoS their database on purpose, certainly accidents can happen.) > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > ----------------------------------------------------------------------------- > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies > Reporter: Stefan Miklosovic > Assignee: Stefan Miklosovic > Priority: Normal > Fix For: 4.0-alpha5 > > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org