[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17140652#comment-17140652 ] Brandon Williams commented on CASSANDRA-15867: -- There were a few more references you missed: https://github.com/driftx/cassandra/commit/de9002b3db53d73b63dab57a5642e928688c6301 Commit pending CI results. > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 3.11.7, 4.0-alpha5 > > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17140462#comment-17140462 ] Stefan Miklosovic commented on CASSANDRA-15867: --- Hi [~tomasz.lasica] and [~brandon.williams] These classes are in the package jar jackson-core-asl, but interestingly enough, that jar is in "build/lib/jars" but it is not in "lib". If I start with completely clean build dir, and I do "ant artifacts", it all builds but in the resulting tarball there are not these jars (which is right), but they are part of "build/lib/jars" and I do not have a slightest clue why they are there because they are not referenced in whole build.xml, who is adding them there? build/lib/jars/jackson-core-asl-1.0.1.jar build/lib/jackson-mapper-asl-1.0.1.jar This should fix it [https://github.com/apache/cassandra/pull/645] > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 3.11.7, 4.0-alpha5 > > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17140414#comment-17140414 ] Tomasz Lasica commented on CASSANDRA-15867: --- Would it be possible that this change broke some dtests: [https://ci-cassandra.apache.org/job/Cassandra-3.11/56/#showFailuresLink] {noformat} Unexpected error found in node logs (see stdout for full details). Errors: [ERROR [main] 2020-06-17 17:56:35,302 CassandraDaemon.java:775 - Exception encountered during startup java.lang.NoClassDefFoundError: org/codehaus/jackson/JsonNode at org.apache.cassandra.db.compaction.CompactionStrategyManager.(CompactionStrategyManager.java:123) ~[main/:na] at org.apache.cassandra.db.compaction.CompactionStrategyManager.(CompactionStrategyManager.java:113) ~[main/:na] at org.apache.cassandra.db.ColumnFamilyStore.(ColumnFamilyStore.java:454) ~[main/:na] at org.apache.cassandra.db.ColumnFamilyStore.createColumnFamilyStore(ColumnFamilyStore.java:637) ~[main/:na] at org.apache.cassandra.db.ColumnFamilyStore.createColumnFamilyStore(ColumnFamilyStore.java:611) ~[main/:na] at org.apache.cassandra.db.ColumnFamilyStore.createColumnFamilyStore(ColumnFamilyStore.java:602) ~[main/:na] at org.apache.cassandra.db.Keyspace.initCf(Keyspace.java:417) ~[main/:na] at org.apache.cassandra.db.Keyspace.(Keyspace.java:324) ~[main/:na] at org.apache.cassandra.db.Keyspace.open(Keyspace.java:129) ~[main/:na] at org.apache.cassandra.db.Keyspace.open(Keyspace.java:106) ~[main/:na] at org.apache.cassandra.db.SystemKeyspace.checkHealth(SystemKeyspace.java:976) ~[main/:na] at org.apache.cassandra.service.StartupChecks$10.execute(StartupChecks.java:422) ~[main/:na] at org.apache.cassandra.service.StartupChecks.verify(StartupChecks.java:125) ~[main/:na] at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:207) [main/:na] at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:631) [main/:na] at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:758) [main/:na] Caused by: java.lang.ClassNotFoundException: org.codehaus.jackson.JsonNode at java.net.URLClassLoader.findClass(URLClassLoader.java:382) ~[na:1.8.0_242] at java.lang.ClassLoader.loadClass(ClassLoader.java:419) ~[na:1.8.0_242] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352) ~[na:1.8.0_242] at java.lang.ClassLoader.loadClass(ClassLoader.java:352) ~[na:1.8.0_242] ... 16 common frames omitted, ERROR [main] 2020-06-17 17:56:35,302 CassandraDaemon.java:775 - Exception encountered during startup java.lang.NoClassDefFoundError: org/codehaus/jackson/JsonNode at org.apache.cassandra.db.compaction.CompactionStrategyManager.(CompactionStrategyManager.java:123) ~[main/:na] at org.apache.cassandra.db.compaction.CompactionStrategyManager.(CompactionStrategyManager.java:113) ~[main/:na] at org.apache.cassandra.db.ColumnFamilyStore.(ColumnFamilyStore.java:454) ~[main/:na] at org.apache.cassandra.db.ColumnFamilyStore.createColumnFamilyStore(ColumnFamilyStore.java:637) ~[main/:na] at org.apache.cassandra.db.ColumnFamilyStore.createColumnFamilyStore(ColumnFamilyStore.java:611) ~[main/:na] at org.apache.cassandra.db.ColumnFamilyStore.createColumnFamilyStore(ColumnFamilyStore.java:602) ~[main/:na] at org.apache.cassandra.db.Keyspace.initCf(Keyspace.java:417) ~[main/:na] at org.apache.cassandra.db.Keyspace.(Keyspace.java:324) ~[main/:na] at org.apache.cassandra.db.Keyspace.open(Keyspace.java:129) ~[main/:na] at org.apache.cassandra.db.Keyspace.open(Keyspace.java:106) ~[main/:na] at org.apache.cassandra.db.SystemKeyspace.checkHealth(SystemKeyspace.java:976) ~[main/:na] at org.apache.cassandra.service.StartupChecks$10.execute(StartupChecks.java:422) ~[main/:na] at org.apache.cassandra.service.StartupChecks.verify(StartupChecks.java:125) ~[main/:na] at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:207) [main/:na] at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:631) [main/:na] at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:758) [main/:na] Caused by: java.lang.ClassNotFoundException: org.codehaus.jackson.JsonNode at java.net.URLClassLoader.findClass(URLClassLoader.java:382) ~[na:1.8.0_242] at java.lang.ClassLoader.loadClass(ClassLoader.java:419) ~[na:1.8.0_242] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352) ~[na:1.8.0_242] at java.lang.ClassLoader.loadClass(ClassLoader.java:352) ~[na:1.8.0_242] ... 16 common frames omitted] {noformat} Thanks! Tomek > Update
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17138620#comment-17138620 ] Brandon Williams commented on CASSANDRA-15867: -- Commited, thanks! > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 4.0-alpha5 > > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17134839#comment-17134839 ] Stefan Miklosovic commented on CASSANDRA-15867: --- [~brandon.williams] this is patch for 3.11. [https://github.com/apache/cassandra/pull/632] I have also fixed one test in SASIIndexTest because it was failing in o.a.c.db.marshall.AbstractType#writeValue [~ifesdjeen] was making changes here as part of CASSANDRA-15778 and the test was throwing that AssertionError so the rest of the test method has failed to complete. I am just catching that exception in that test and asserting that we should see. > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 4.0-alpha5 > > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17134464#comment-17134464 ] Brandon Williams commented on CASSANDRA-15867: -- I would say if we fix it in one branch, but another is also vulnerable for the same reason, we should fix it there too. > This holds for more dependencies, what is the general approach here? I would take it on a case-by-case basis. I looked into the Jackson vulnerability and it does seem to be exploitable for us (though I don't know why users would DoS their database on purpose, certainly accidents can happen.) > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 4.0-alpha5 > > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17134461#comment-17134461 ] Stefan Miklosovic commented on CASSANDRA-15867: --- [~brandon.williams] I tried to apply it on 3.11 but there are incompatibilies on a source-code levels (classes not there etc). I do not want to make any changes to the codebase of 3.11 unnecessarilly, what is your opinion here? Should I invest time to bump it while it is not so trivial? This holds for more dependencies, what is the general approach here? > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 4.0-alpha5 > > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17134251#comment-17134251 ] Brandon Williams commented on CASSANDRA-15867: -- We can merge it into 3.11 as well, your patch was against trunk so I just went with that. The patch doesn't cleanly apply to 3.11. > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 4.0-alpha5 > > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133974#comment-17133974 ] Stefan Miklosovic commented on CASSANDRA-15867: --- [~brandon.williams] dont we want to see this merged as well in 3.11? I see that coordinates for jackson are totally different so maybe I ll do that scan against 3.11 and see how we stand. > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 4.0-alpha5 > > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133061#comment-17133061 ] Stefan Miklosovic commented on CASSANDRA-15867: --- [~brandon.williams] because of my fat fingers :) It is fixed now, the md5 of that 2.9.10.4 is 97194476768138773e1ecce4b8b5efa9 > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Priority: Normal > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17132659#comment-17132659 ] Brandon Williams commented on CASSANDRA-15867: -- Why is the included jackson-databind labeled 2.9.10.4, but the build.xml change specifies 2.9.10.1? > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Priority: Normal > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15867) Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5
[ https://issues.apache.org/jira/browse/CASSANDRA-15867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17130104#comment-17130104 ] Stefan Miklosovic commented on CASSANDRA-15867: --- [https://github.com/apache/cassandra/compare/trunk...smiklosovic:CASSANDRA-15867] > Update Jackson version to 2.9.10.1 because there are security issues in 2.9.5 > - > > Key: CASSANDRA-15867 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15867 > Project: Cassandra > Issue Type: Task > Components: Dependencies >Reporter: Stefan Miklosovic >Priority: Normal > Attachments: dependency-check-report.html > > > Please see attached HTML report from OWASP dependency check for current > 4.0-alpha5 trunk branch. > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org