[cassandra] branch cassandra-3.11 updated: Supress CVE-2022-25857 et al for snakeyaml

Wed, 21 Sep 2022 03:57:30 -0700 

This is an automated email from the ASF dual-hosted git repository.

brandonwilliams pushed a commit to branch cassandra-3.11
in repository https://gitbox.apache.org/repos/asf/cassandra.git


The following commit(s) were added to refs/heads/cassandra-3.11 by this push:
     new 70b0673d85 Supress CVE-2022-25857 et al for snakeyaml
70b0673d85 is described below

commit 70b0673d85ba67c7c1129d4e50da72ee0d5dc5d9
Author: Brandon Williams <[email protected]>
AuthorDate: Tue Sep 20 09:14:25 2022 -0500

    Supress CVE-2022-25857 et al for snakeyaml
    
    Also suppresses CVE-2022-38752, CVE-2022-38751, CVE-2022-38750,
    CVE-2022-25857, CVE-2022-38749
    
    Patch by brandonwilliams; reviewed by smiklosovic for CASSANDRA-17907
---
 .build/dependency-check-suppressions.xml | 5 +++++
 CHANGES.txt                              | 1 +
 2 files changed, 6 insertions(+)

diff --git a/.build/dependency-check-suppressions.xml 
b/.build/dependency-check-suppressions.xml
index 9aedeae594..28cbf593bd 100644
--- a/.build/dependency-check-suppressions.xml
+++ b/.build/dependency-check-suppressions.xml
@@ -24,6 +24,11 @@
         <!--  https://issues.apache.org/jira/browse/CASSANDRA-16150 -->
         <packageUrl 
regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
         <cve>CVE-2017-18640</cve>
+        <cve>CVE-2022-25857</cve>
+        <cve>CVE-2022-38749</cve>
+        <cve>CVE-2022-38750</cve>
+        <cve>CVE-2022-38751</cve>
+        <cve>CVE-2022-38752</cve>
     </suppress>
 
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-15417 -->
diff --git a/CHANGES.txt b/CHANGES.txt
index 15d52685ba..d3031cd294 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
 3.11.14
+ * Suppress CVE-2022-25857 and other snakeyaml CVEs (CASSANDRA-17907)
  * Fix potential IndexOutOfBoundsException in PagingState in mixed mode 
clusters (CASSANDRA-17840)
  * Document usage of closed token intervals in manual compaction 
(CASSANDRA-17575)
  * Creating of a keyspace on insufficient number of replicas should filter out 
gosspping-only members (CASSANDRA-17759)


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to