[
https://issues.apache.org/jira/browse/CASSANDRA-18608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17736519#comment-17736519
]
Brandon Williams commented on CASSANDRA-18608:
----------------------------------------------
One could argue if there isn't justification for other branches, we would just
be softening our policy to do it in others. The most risk averse thing we can
do is nothing, since we won't introduce any new changes that would carry the
possibility of regression. Without any past occurrences to bolster a
hypothetical future where they exist, I think that's unlikely to happen too.
All of that said, I think snappy is pretty solid and has generally only been
upgraded for better non-x86 support in the past, so we probably won't run into
another chance to upgrade for a while, so let's see how CI looks.
||Branch||CI||
|[4.0|https://github.com/driftx/cassandra/tree/CASSANDRA-18608-upgrade-4.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1076/workflows/8ffef323-6068-4b2c-9f7f-1032013abfb0],
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1076/workflows/c2ca8085-c78a-4b77-bffa-fd04eacbf168]|
|[4.1|https://github.com/driftx/cassandra/tree/CASSANDRA-18608-upgrade-4.1]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1077/workflows/af504bcc-0f03-41bc-b374-def601d50409],
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1077/workflows/025a4885-8b5e-4016-b1ac-30e764094379]|
|[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-18608-upgrade-trunk]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1075/workflows/cb792fba-04d4-4265-ac2d-dd5f99537a12],
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1075/workflows/acc2c087-b4da-4b49-8569-a7deea749519]|
> snappy-java vulnerability: CVE-2023-34455, CVE-2023-34454, CVE-2023-34453
> -------------------------------------------------------------------------
>
> Key: CASSANDRA-18608
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18608
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/Compression
> Reporter: Brandon Williams
> Assignee: Brandon Williams
> Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.x
>
>
> Failing owasp:
> [https://nvd.nist.gov/vuln/detail/CVE-2023-34455]
> {quote}Due to use of an unchecked chunk length, an unrecoverable fatal error
> can occur in versions prior to 1.1.10.1.
> {quote}
> [https://nvd.nist.gov/vuln/detail/CVE-2023-34454]
> {quote}Due to unchecked multiplications, an integer overflow may occur in
> versions prior to 1.1.10.1, causing an unrecoverable fatal error.
> {quote}
> [https://nvd.nist.gov/vuln/detail/CVE-2023-34453]
> {quote}Due to unchecked multiplications, an integer overflow may occur in
> versions prior to 1.1.10.1, causing a fatal error.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
