[jira] [Updated] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jason Brown updated CASSANDRA-14427: Resolution: Fixed Reviewer: Jason Brown Fix Version/s: 4.0 Status: Resolved (was: Patch Available) Holy cow, [~Lerh Low]. Thanks for all the background info. Based on that, it looks like it is not imperative to upgrade the previous versions, and thus upgrading trunk is sufficient. +1 on the patch for trunk, and committed as sha {{76ef78b7d74972bd235159ca304648ab439fb715}}. Thanks! > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Fix For: 4.0 > > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lerh Chuan Low updated CASSANDRA-14427: --- Attachment: (was: 2.1-14427.txt) > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lerh Chuan Low updated CASSANDRA-14427: --- Attachment: 2.2-14427.txt 2.1-14427.txt > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lerh Chuan Low updated CASSANDRA-14427: --- Attachment: (was: 2.2-14427.txt) > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lerh Chuan Low updated CASSANDRA-14427: --- Attachment: 2.1-14427.txt > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lerh Chuan Low updated CASSANDRA-14427: --- Attachment: (was: 2.1-14427.txt) > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kurt Greaves updated CASSANDRA-14427: - Status: Patch Available (was: Open) > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lerh Chuan Low updated CASSANDRA-14427: --- Attachment: 3.X-14427.txt 3.0-14427.txt 2.2-14427.txt 2.1-14427.txt > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt, > 3.X-14427.txt, trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-14427) Bump jackson version to >= 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lerh Chuan Low updated CASSANDRA-14427: --- Attachment: trunk-14427.txt > Bump jackson version to >= 2.9.5 > > > Key: CASSANDRA-14427 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14427 > Project: Cassandra > Issue Type: Improvement >Reporter: Lerh Chuan Low >Assignee: Lerh Chuan Low >Priority: Major > Attachments: trunk-14427.txt > > > The Jackson being used by Cassandra is really old (1.9.2, and still > references codehaus (Jackson 1) instead of fasterxml (Jackson 2)). > There have been a few jackson vulnerabilities recently (mostly around > deserialization which allows arbitrary code execution) > [https://nvd.nist.gov/vuln/detail/CVE-2017-7525] > [https://nvd.nist.gov/vuln/detail/CVE-2017-15095] > [https://nvd.nist.gov/vuln/detail/CVE-2018-1327] > [https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > Given that Jackson in Cassandra is really old and seems to be used also for > reading in values, it looks worthwhile to update Jackson to 2.9.5. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org