[jira] [Comment Edited] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16480188#comment-16480188 ] Jason Brown edited comment on CASSANDRA-14427 at 5/18/18 5:29 AM: -- Holy cow, [~Lerh Low]. Thanks for all the background info. Based on that, it looks like it is not imperative to upgrade the previous versions of casandra, and thus upgrading trunk is sufficient. +1 on the patch for trunk, and committed as sha {{76ef78b7d74972bd235159ca304648ab439fb715}}. Thanks! was (Author: jasobrown): Holy cow, [~Lerh Low]. Thanks for all the background info. Based on that, it looks like it is not imperative to upgrade the previous versions, and thus upgrading trunk is sufficient. +1 on the patch for trunk, and committed as sha {{76ef78b7d74972bd235159ca304648ab439fb715}}. Thanks! > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Fix For: 4.0 > > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16463246#comment-16463246 ] Lerh Chuan Low edited comment on CASSANDRA-14427 at 5/4/18 2:55 AM: Updated the patch, turns out I missed a few things. The 2.2 CI failed, but it seems unrelated. I tried running the test locally, it works, so trying again: https://circleci.com/gh/juiceblender/cassandra/84 Updated 2.1 CCI: https://circleci.com/gh/juiceblender/cassandra/85 was (Author: lerh low): Updated the patch, turns out I missed a few things. The 2.2 CI failed, but it seems unrelated. I tried running the test locally, it works, so trying again: https://circleci.com/gh/juiceblender/cassandra/82 Updated 2.1 CCI: https://circleci.com/gh/juiceblender/cassandra/81 > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16458271#comment-16458271 ] Lerh Chuan Low edited comment on CASSANDRA-14427 at 4/30/18 6:59 AM: - Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.X https://github.com/juiceblender/cassandra/tree/jackson-update-3.0 https://github.com/juiceblender/cassandra/tree/jackson-update-2.2 https://github.com/juiceblender/cassandra/tree/jackson-update-2.1|https://github.com/juiceblender/cassandra/tree/jackson-update-3.X] CCI: [https://circleci.com/gh/juiceblender/cassandra/76] (trunk) [https://circleci.com/gh/juiceblender/cassandra/77] (3.X) [https://circleci.com/gh/juiceblender/cassandra/78] (3.0) [https://circleci.com/gh/juiceblender/cassandra/79] (2.2) [https://circleci.com/gh/juiceblender/cassandra/80] (2.1) I get the feeling some of the CCIs may fail (to my knowledge they currently don't work on 3.X and 3.0, not sure about 2.Xs). was (Author: lerh low): Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.X https://github.com/juiceblender/cassandra/tree/jackson-update-3.0 |https://github.com/juiceblender/cassandra/tree/jackson-update-3.X] [https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].2 [https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].1 CCI: [https://circleci.com/gh/juiceblender/cassandra/76] (trunk) [https://circleci.com/gh/juiceblender/cassandra/77] (3.X) [https://circleci.com/gh/juiceblender/cassandra/78] (3.0) [https://circleci.com/gh/juiceblender/cassandra/79] (2.2) [https://circleci.com/gh/juiceblender/cassandra/80] (2.1) I get the feeling some of the CCIs may fail (to my knowledge they currently don't work on 3.X and 3.0, not sure about 2.Xs). > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16458271#comment-16458271 ] Lerh Chuan Low edited comment on CASSANDRA-14427 at 4/30/18 6:59 AM: - Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.0] [https://github.com/juiceblender/cassandra/tree/jackson-update-2.2] [https://github.com/juiceblender/cassandra/tree/jackson-update-2.1] CCI: [https://circleci.com/gh/juiceblender/cassandra/76] (trunk) [https://circleci.com/gh/juiceblender/cassandra/77] (3.X) [https://circleci.com/gh/juiceblender/cassandra/78] (3.0) [https://circleci.com/gh/juiceblender/cassandra/79] (2.2) [https://circleci.com/gh/juiceblender/cassandra/80] (2.1) I get the feeling some of the CCIs may fail (to my knowledge they currently don't work on 3.X and 3.0, not sure about 2.Xs). was (Author: lerh low): Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.X https://github.com/juiceblender/cassandra/tree/jackson-update-3.0 https://github.com/juiceblender/cassandra/tree/jackson-update-2.2 https://github.com/juiceblender/cassandra/tree/jackson-update-2.1|https://github.com/juiceblender/cassandra/tree/jackson-update-3.X] CCI: [https://circleci.com/gh/juiceblender/cassandra/76] (trunk) [https://circleci.com/gh/juiceblender/cassandra/77] (3.X) [https://circleci.com/gh/juiceblender/cassandra/78] (3.0) [https://circleci.com/gh/juiceblender/cassandra/79] (2.2) [https://circleci.com/gh/juiceblender/cassandra/80] (2.1) I get the feeling some of the CCIs may fail (to my knowledge they currently don't work on 3.X and 3.0, not sure about 2.Xs). > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16458271#comment-16458271 ] Lerh Chuan Low edited comment on CASSANDRA-14427 at 4/30/18 7:00 AM: - Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.X] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.0] [https://github.com/juiceblender/cassandra/tree/jackson-update-2.2] [https://github.com/juiceblender/cassandra/tree/jackson-update-2.1] CCI: [https://circleci.com/gh/juiceblender/cassandra/76] (trunk) [https://circleci.com/gh/juiceblender/cassandra/77] (3.X) [https://circleci.com/gh/juiceblender/cassandra/78] (3.0) [https://circleci.com/gh/juiceblender/cassandra/79] (2.2) [https://circleci.com/gh/juiceblender/cassandra/80] (2.1) I get the feeling some of the CCIs may fail (to my knowledge they currently don't work on 3.X and 3.0, not sure about 2.Xs). was (Author: lerh low): Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.0] [https://github.com/juiceblender/cassandra/tree/jackson-update-2.2] [https://github.com/juiceblender/cassandra/tree/jackson-update-2.1] CCI: [https://circleci.com/gh/juiceblender/cassandra/76] (trunk) [https://circleci.com/gh/juiceblender/cassandra/77] (3.X) [https://circleci.com/gh/juiceblender/cassandra/78] (3.0) [https://circleci.com/gh/juiceblender/cassandra/79] (2.2) [https://circleci.com/gh/juiceblender/cassandra/80] (2.1) I get the feeling some of the CCIs may fail (to my knowledge they currently don't work on 3.X and 3.0, not sure about 2.Xs). > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16458271#comment-16458271 ] Lerh Chuan Low edited comment on CASSANDRA-14427 at 4/30/18 6:58 AM: - Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.X https://github.com/juiceblender/cassandra/tree/jackson-update-3.0 |https://github.com/juiceblender/cassandra/tree/jackson-update-3.X] [https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].2 [https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].1 CCI: [https://circleci.com/gh/juiceblender/cassandra/76] (trunk) [https://circleci.com/gh/juiceblender/cassandra/77] (3.X) [https://circleci.com/gh/juiceblender/cassandra/78] (3.0) [https://circleci.com/gh/juiceblender/cassandra/79] (2.2) [https://circleci.com/gh/juiceblender/cassandra/80] (2.1) I get the feeling some of the CCIs may fail (to my knowledge they currently don't work on 3.X and 3.0, not sure about 2.Xs). was (Author: lerh low): Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] [ https://github.com/juiceblender/cassandra/tree/jackson-update-3.X|https://github.com/juiceblender/cassandra/tree/jackson-update] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.0] [https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].2 [https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].1 CCI: [https://circleci.com/gh/juiceblender/cassandra/76] (trunk) [https://circleci.com/gh/juiceblender/cassandra/77] (3.X) [https://circleci.com/gh/juiceblender/cassandra/78] (3.0) [https://circleci.com/gh/juiceblender/cassandra/79] (2.2) [https://circleci.com/gh/juiceblender/cassandra/80] (2.1) I get the feeling some of the CCIs may fail (to my knowledge they currently don't work on 3.X and 3.0, not sure about 2.Xs). > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16458271#comment-16458271 ] Lerh Chuan Low edited comment on CASSANDRA-14427 at 4/30/18 6:57 AM: - Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] [ https://github.com/juiceblender/cassandra/tree/jackson-update-3.X|https://github.com/juiceblender/cassandra/tree/jackson-update] [https://github.com/juiceblender/cassandra/tree/jackson-update-3.0] [https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].2 [https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].1 CCI: [https://circleci.com/gh/juiceblender/cassandra/76] (trunk) [https://circleci.com/gh/juiceblender/cassandra/77] (3.X) [https://circleci.com/gh/juiceblender/cassandra/78] (3.0) [https://circleci.com/gh/juiceblender/cassandra/79] (2.2) [https://circleci.com/gh/juiceblender/cassandra/80] (2.1) I get the feeling some of the CCIs may fail (to my knowledge they currently don't work on 3.X and 3.0, not sure about 2.Xs). was (Author: lerh low): Github branch if preferred: [https://github.com/juiceblender/cassandra/tree/jackson-update] CCI: [https://circleci.com/gh/juiceblender/cassandra/76] Not sure if these should include all the previous versions (I think it should), let me know if I'm on the right track + if I should create patches for 2.1/2.2/3.0/3. Thanks! > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org