This is an automated email from the ASF dual-hosted git repository. brandonwilliams pushed a commit to branch cassandra-4.0 in repository https://gitbox.apache.org/repos/asf/cassandra.git
commit 4157e7a8e04655af4553d9003b9cb46897dddc2c Merge: 488c0c75a8 2e6528542b Author: Brandon Williams <[email protected]> AuthorDate: Tue Oct 18 10:31:37 2022 -0500 Merge branch 'cassandra-3.11' into cassandra-4.0 .build/dependency-check-suppressions.xml | 7 +++++++ CHANGES.txt | 1 + 2 files changed, 8 insertions(+) diff --cc .build/dependency-check-suppressions.xml index 9a84700c64,bd6f90da62..a065089feb --- a/.build/dependency-check-suppressions.xml +++ b/.build/dependency-check-suppressions.xml @@@ -58,4 -46,47 +58,11 @@@ <cve>CVE-2021-43797</cve> <cve>CVE-2022-24823</cve> </suppress> - - <!-- https://issues.apache.org/jira/browse/CASSANDRA-14183 --> - <suppress> - <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl> - <cve>CVE-2017-5929</cve> - </suppress> - <suppress> - <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl> - <cve>CVE-2017-5929</cve> - </suppress> - - <!-- this was fixed in 3.0.22 --> - <suppress> - <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-core@.*$</packageUrl> - <cve>CVE-2020-13946</cve> - <cve>CVE-2020-17516</cve> - <cve>CVE-2021-44521</cve> - </suppress> - - <!-- https://issues.apache.org/jira/browse/CASSANDRA-14760 --> - <suppress> - <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl> - <cve>CVE-2018-10237</cve> - <cve>CVE-2020-8908</cve> - </suppress> - - <!-- https://issues.apache.org/jira/browse/CASSANDRA-16606 --> - <suppress> - <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl> - <cve>CVE-2015-3254</cve> - <cve>CVE-2016-5397</cve> - <cve>CVE-2018-1320</cve> - <cve>CVE-2018-11798</cve> - <cve>CVE-2019-0205</cve> - </suppress> - + <!-- https://issues.apache.org/jira/browse/CASSANDRA-17966 --> + <suppress> + <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl> + <cve>CVE-2022-42003</cve> + <cve>CVE-2022-42004</cve> + </suppress> + </suppressions> diff --cc CHANGES.txt index 4a85c97c53,cbe38d02b3..213c3fb918 --- a/CHANGES.txt +++ b/CHANGES.txt @@@ -1,14 -1,5 +1,15 @@@ -3.11.14 +4.0.7 + * Remove empty cq4 files in log directory to not fail the startup of BinLog (CASSANDRA-17933) + * Fix multiple BufferPool bugs (CASSANDRA-16681) + * Fix StorageService.getNativeaddress handling of IPv6 addresses (CASSANDRA-17945) + * Mitigate direct buffer memory OOM on replacements (CASSANDRA-17895) + * Fix repair failure on assertion if two peers have overlapping mismatching ranges (CASSANDRA-17900) + * Better handle null state in Gossip schema migration to avoid NPE (CASSANDRA-17864) + * HintedHandoffAddRemoveNodesTest now accounts for the fact that StorageMetrics.totalHints is not updated synchronously w/ writes (CASSANDRA-16679) + * Avoid getting hanging repairs due to repair message timeouts (CASSANDRA-17613) + * Prevent infinite loop in repair coordinator on FailSession (CASSANDRA-17834) +Merged from 3.11: + * Suppress CVE-2022-42003 and CVE-2022-42004 (CASSANDRA-17966) * Make LongBufferPoolTest insensitive to timing (CASSANDRA-16681) * Suppress CVE-2022-25857 and other snakeyaml CVEs (CASSANDRA-17907) * Fix potential IndexOutOfBoundsException in PagingState in mixed mode clusters (CASSANDRA-17840) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
