[
https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17134464#comment-17134464
]
Brandon Williams edited comment on CASSANDRA-15867 at 6/12/20, 6:50 PM:
------------------------------------------------------------------------
I would say if we fix it in one branch, but another is also vulnerable for the
same reason, we should fix it there too.
bq. This holds for more dependencies, what is the general approach here?
I would take it on a case-by-case basis. I looked into the Jackson
vulnerability and it does seem to be exploitable for us (though I don't know
why users would DoS their database on purpose, certainly accidents can happen.)
was (Author: brandon.williams):
I would say if we fix it in one branch, but another is also vulnerable for the
same reason, we should fix it there too.
> This holds for more dependencies, what is the general approach here?
I would take it on a case-by-case basis. I looked into the Jackson
vulnerability and it does seem to be exploitable for us (though I don't know
why users would DoS their database on purpose, certainly accidents can happen.)
> Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
> -----------------------------------------------------------------------------
>
> Key: CASSANDRA-15867
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15867
> Project: Cassandra
> Issue Type: Task
> Components: Dependencies
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 4.0-alpha5
>
> Attachments: dependency-check-report.html
>
>
> Please see attached HTML report from OWASP dependency check for current
> 4.0-alpha5 trunk branch.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
