[
https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brandon Williams updated CASSANDRA-18875:
-----------------------------------------
Change Category: Semantic
Complexity: Normal
Component/s: Local/Config
Fix Version/s: 5.x
Status: Open (was: Triage Needed)
Sure, we can target trunk for this and take a look when it's done to consider
5.0.
> Upgrade the snakeyaml library version
> -------------------------------------
>
> Key: CASSANDRA-18875
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18875
> Project: Cassandra
> Issue Type: Task
> Components: Local/Config
> Reporter: Jai Bheemsen Rao Dhanwada
> Priority: Normal
> Fix For: 5.x
>
>
> Apache cassandra uses 1.26 version of snakeyaml dependency and there are
> several
> [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#]
> in this version that can be fixed by upgrading to 2.x version. I understand
> that this is not security issue as cassandra already uses SafeConstructor and
> is not a vulnerability under OWASP, so there are no plans to fix it as per
> CASSANDRA-18122
>
> Cassandra as a open source used and distributed by many enterprise customers
> and also when downloading cassandra as tar and using it external scanners are
> not aware of the implementation of SafeConstructor have no idea if it's
> vulnerable or not.
> Can we consider upgrading the version to 2.x in the next releases as
> snakeyaml is not something that has a large dependency between the major and
> minor versions. I am happy to open a PR for this. Please let me know your
> thoughts on this.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
