[ https://issues.apache.org/jira/browse/CASSANDRA-15828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17179031#comment-17179031 ]
Mark Denihan commented on CASSANDRA-15828: ------------------------------------------ [~c3-keveker] It's been removed, as I listed above, apparently as part of CASSANDRA-15867 {code} Author: Stefan Miklosovic <stefan.mikloso...@instaclustr.com> 2020-06-13 16:09:00 Committer: Brandon Williams <brandonwilli...@apache.org> 2020-06-17 17:21:35 Parent: e49853914bd407827093cebf5151db0ebe2eba9e (Merge branch 'cassandra-3.0' into cassandra-3.11) Child: ac289270f2bb3bb7251319f7f71d6c66a4272db4 (Merge branch 'cassandra-3.0' into cassandra-3.11) Branches: 3.11.7, cassandra-3.11, remotes/origin/cassandra-3.11, remotes/origin/trunk, trunk Follows: cassandra-3.11.6 Precedes: cassandra-3.11.7 update Jackson to 2.9.10 Patch by Stefan Miklosovic, reviewed by brandonwilliams for CASSANDRA-15867 ---------------------------------- build.xml ---------------------------------- index 0724dbb29c..25a47335b9 100644 @@ -406,8 +406,9 @@ <dependency groupId="org.slf4j" artifactId="jcl-over-slf4j" version="1.7.7" /> <dependency groupId="ch.qos.logback" artifactId="logback-core" version="1.1.3"/> <dependency groupId="ch.qos.logback" artifactId="logback-classic" version="1.1.3"/> - <dependency groupId="org.codehaus.jackson" artifactId="jackson-core-asl" version="1.9.2"/> - <dependency groupId="org.codehaus.jackson" artifactId="jackson-mapper-asl" version="1.9.2"/> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core" version="2.9.10"/> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind" version="2.9.10.4"/> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations" version="2.9.10"/> <dependency groupId="com.googlecode.json-simple" artifactId="json-simple" version="1.1"/> <dependency groupId="com.boundary" artifactId="high-scale-lib" version="1.0.6"/> <dependency groupId="com.github.jbellis" artifactId="jamm" version="0.3.0"/> @@ -627,8 +628,9 @@ <dependency groupId="org.slf4j" artifactId="slf4j-api"/> <dependency groupId="org.slf4j" artifactId="log4j-over-slf4j"/> <dependency groupId="org.slf4j" artifactId="jcl-over-slf4j"/> - <dependency groupId="org.codehaus.jackson" artifactId="jackson-core-asl"/> - <dependency groupId="org.codehaus.jackson" artifactId="jackson-mapper-asl"/> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core"/> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind"/> + <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations"/> <dependency groupId="com.googlecode.json-simple" artifactId="json-simple"/> <dependency groupId="com.boundary" artifactId="high-scale-lib"/> <dependency groupId="org.yaml" artifactId="snakeyaml"/> {code} This will result in the issue no longer being detected in your security scans. Please re-run them to confirm. Will this fix be implemented on 2.2 / 3.0 versions as well? > Remove jackson-mapper-asl-1.9.13 to address CVE > ----------------------------------------------- > > Key: CASSANDRA-15828 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15828 > Project: Cassandra > Issue Type: Improvement > Reporter: Kevin Eveker > Priority: Normal > > Recent scan results identified the following CVE that require this upgrade to > address > [https://nvd.nist.gov/vuln/detail/CVE-2019-10172] -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org