[
https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17134464#comment-17134464
]
Brandon Williams commented on CASSANDRA-15867:
----------------------------------------------
I would say if we fix it in one branch, but another is also vulnerable for the
same reason, we should fix it there too.
> This holds for more dependencies, what is the general approach here?
I would take it on a case-by-case basis. I looked into the Jackson
vulnerability and it does seem to be exploitable for us (though I don't know
why users would DoS their database on purpose, certainly accidents can happen.)
> Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
> -----------------------------------------------------------------------------
>
> Key: CASSANDRA-15867
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15867
> Project: Cassandra
> Issue Type: Task
> Components: Dependencies
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 4.0-alpha5
>
> Attachments: dependency-check-report.html
>
>
> Please see attached HTML report from OWASP dependency check for current
> 4.0-alpha5 trunk branch.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
