[
https://issues.apache.org/jira/browse/CASSANDRA-20848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18015938#comment-18015938
]
Stefan Miklosovic commented on CASSANDRA-20848:
-----------------------------------------------
The error is of this nature:
{code}
org.apache.cassandra.config.ConfigCompatibilityTest diff_5_0
java.lang.NoSuchMethodError: 'void
org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader,
org.yaml.snakeyaml.LoaderOptions)'
at
com.fasterxml.jackson.dataformat.yaml.YAMLParser.<init>(YAMLParser.java:196)
at
com.fasterxml.jackson.dataformat.yaml.YAMLFactory._createParser(YAMLFactory.java:505)
at
com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:393)
at
com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:15)
at
com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3752)
at
org.apache.cassandra.config.ConfigCompatibilityTest.load(ConfigCompatibilityTest.java:246)
at
org.apache.cassandra.config.ConfigCompatibilityTest.diff(ConfigCompatibilityTest.java:161)
at
org.apache.cassandra.config.ConfigCompatibilityTest.diff_5_0(ConfigCompatibilityTest.java:154)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
{code}
There is misalignement of snakeyaml and jackson I introduced in the PR. Jackson
2.19.2 I bumped Jackson to depends on snakeyaml 2.4 but Cassandra use snakeyaml
1.26 in 4.0 and 4.1 and 5.0. We use snakeyaml 2.1 in trunk.
The solution:
for 4.0 -> all is OK, we do not use jackson-dataformat-yaml which brings
snakeyaml
for 4.1 -> we use jackson-dataformat-yaml of version 2.13.2 which already
excludes snakeyaml. To be compatible with snakeyaml of Cassandra 4.1 (1.26), we
can just dowgrade jackson-dataformat-yaml to 2.13.2 (or, keep it at what it
is), and just bump the rest of jackson libraries to 2.19.2.
jackon-dataformat-yaml is test-scoped dependency only anyway.
for 5.0 -> same as for 4.1
for trunk -> we use snakeyaml 2.1 in prod. jackson-dataformat-yaml 2.19.2 is
compatible snakeyaml 2.1 so tests work, but it still excludes snakeyaml from
its dependencies to get what we use in prod. Here we can update
jackson-dataformat-yaml to 2.19.2 while we still continue to exclude snakeyaml
to depend on prod snakeyaml instead.
> jackson-core vulnerability: CVE-2025-52999
> ------------------------------------------
>
> Key: CASSANDRA-20848
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20848
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Dependencies
> Reporter: ANSHUL SAINI
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 4.0.x, 4.1.x, 5.0.x, 5.x
>
>
> https://nvd.nist.gov/vuln/detail/CVE-2025-52999
> jackson-core contains core low-level incremental ("streaming") parser and
> generator abstractions used by Jackson Data Processor. In versions prior to
> 2.15.0, if a user parses an input file and it has deeply nested data, Jackson
> could end up throwing a StackoverflowError if the depth is particularly large.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
