[
https://issues.apache.org/jira/browse/CASSANDRA-15828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17179031#comment-17179031
]
Mark Denihan commented on CASSANDRA-15828:
------------------------------------------
[~c3-keveker] It's been removed, as I listed above, apparently as part of
CASSANDRA-15867
{code}
Author: Stefan Miklosovic <stefan.mikloso...@instaclustr.com> 2020-06-13
16:09:00
Committer: Brandon Williams <brandonwilli...@apache.org> 2020-06-17 17:21:35
Parent: e49853914bd407827093cebf5151db0ebe2eba9e (Merge branch 'cassandra-3.0'
into cassandra-3.11)
Child: ac289270f2bb3bb7251319f7f71d6c66a4272db4 (Merge branch 'cassandra-3.0'
into cassandra-3.11)
Branches: 3.11.7, cassandra-3.11, remotes/origin/cassandra-3.11,
remotes/origin/trunk, trunk
Follows: cassandra-3.11.6
Precedes: cassandra-3.11.7
update Jackson to 2.9.10
Patch by Stefan Miklosovic, reviewed by brandonwilliams for
CASSANDRA-15867
---------------------------------- build.xml ----------------------------------
index 0724dbb29c..25a47335b9 100644
@@ -406,8 +406,9 @@
<dependency groupId="org.slf4j" artifactId="jcl-over-slf4j"
version="1.7.7" />
<dependency groupId="ch.qos.logback" artifactId="logback-core"
version="1.1.3"/>
<dependency groupId="ch.qos.logback" artifactId="logback-classic"
version="1.1.3"/>
- <dependency groupId="org.codehaus.jackson"
artifactId="jackson-core-asl" version="1.9.2"/>
- <dependency groupId="org.codehaus.jackson"
artifactId="jackson-mapper-asl" version="1.9.2"/>
+ <dependency groupId="com.fasterxml.jackson.core"
artifactId="jackson-core" version="2.9.10"/>
+ <dependency groupId="com.fasterxml.jackson.core"
artifactId="jackson-databind" version="2.9.10.4"/>
+ <dependency groupId="com.fasterxml.jackson.core"
artifactId="jackson-annotations" version="2.9.10"/>
<dependency groupId="com.googlecode.json-simple"
artifactId="json-simple" version="1.1"/>
<dependency groupId="com.boundary" artifactId="high-scale-lib"
version="1.0.6"/>
<dependency groupId="com.github.jbellis" artifactId="jamm"
version="0.3.0"/>
@@ -627,8 +628,9 @@
<dependency groupId="org.slf4j" artifactId="slf4j-api"/>
<dependency groupId="org.slf4j" artifactId="log4j-over-slf4j"/>
<dependency groupId="org.slf4j" artifactId="jcl-over-slf4j"/>
- <dependency groupId="org.codehaus.jackson"
artifactId="jackson-core-asl"/>
- <dependency groupId="org.codehaus.jackson"
artifactId="jackson-mapper-asl"/>
+ <dependency groupId="com.fasterxml.jackson.core"
artifactId="jackson-core"/>
+ <dependency groupId="com.fasterxml.jackson.core"
artifactId="jackson-databind"/>
+ <dependency groupId="com.fasterxml.jackson.core"
artifactId="jackson-annotations"/>
<dependency groupId="com.googlecode.json-simple"
artifactId="json-simple"/>
<dependency groupId="com.boundary" artifactId="high-scale-lib"/>
<dependency groupId="org.yaml" artifactId="snakeyaml"/>
{code}
This will result in the issue no longer being detected in your security scans.
Please re-run them to confirm.
Will this fix be implemented on 2.2 / 3.0 versions as well?
> Remove jackson-mapper-asl-1.9.13 to address CVE
> -----------------------------------------------
>
> Key: CASSANDRA-15828
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15828
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Kevin Eveker
> Priority: Normal
>
> Recent scan results identified the following CVE that require this upgrade to
> address
> [https://nvd.nist.gov/vuln/detail/CVE-2019-10172]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
