[jira] [Commented] (CASSANDRA-18875) Upgrade the snakeyaml library version

Wed, 29 Nov 2023 11:03:05 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17791270#comment-17791270
 ] 

Raymond Huffman commented on CASSANDRA-18875:
---------------------------------------------

I just want to flag that this version of snakeyaml now enforces a default limit 
of 3MiB for the size of yaml files that it will parse. For JmxTool, the default 
limit was too small for the unit tests. 10MiB was enough to pass the tests on 
my machine, but I set it to 64MiB arbitrarily.

Is it possible for cassandra.yaml to be larger than 3MiB?

> Upgrade the snakeyaml library version
> -------------------------------------
>
>                 Key: CASSANDRA-18875
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18875
>             Project: Cassandra
>          Issue Type: Task
>          Components: Local/Config
>            Reporter: Jai Bheemsen Rao Dhanwada
>            Assignee: Raymond Huffman
>            Priority: Normal
>             Fix For: 5.x
>
>
> Apache cassandra uses 1.26 version of snakeyaml dependency and there are 
> several 
> [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] 
> in this version that can be fixed by upgrading to 2.x version. I understand 
> that this is not security issue as cassandra already uses SafeConstructor and 
> is not a vulnerability under OWASP, so there are no plans to fix it as per  
> CASSANDRA-18122
>  
> Cassandra as a open source used and distributed by many enterprise customers 
> and also when downloading cassandra as tar and using it external scanners are 
> not aware of the implementation of SafeConstructor have no idea if it's 
> vulnerable or not. 
> Can we consider upgrading the version to 2.x in the next releases as 
> snakeyaml is not something that has a large dependency between the major and 
> minor versions. I am happy to open a PR for this. Please let me know your 
> thoughts on this.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to