[
https://issues.apache.org/jira/browse/CASSANDRA-14427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16458271#comment-16458271
]
Lerh Chuan Low edited comment on CASSANDRA-14427 at 4/30/18 6:57 AM:
---------------------------------------------------------------------
Github branch if preferred:
[https://github.com/juiceblender/cassandra/tree/jackson-update] [
https://github.com/juiceblender/cassandra/tree/jackson-update-3.X|https://github.com/juiceblender/cassandra/tree/jackson-update]
[https://github.com/juiceblender/cassandra/tree/jackson-update-3.0]
[https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].2
[https://github.com/juiceblender/cassandra/tree/jackson-update-2|https://github.com/juiceblender/cassandra/tree/jackson-update-3.0].1
CCI:
[https://circleci.com/gh/juiceblender/cassandra/76] (trunk)
[https://circleci.com/gh/juiceblender/cassandra/77] (3.X)
[https://circleci.com/gh/juiceblender/cassandra/78] (3.0)
[https://circleci.com/gh/juiceblender/cassandra/79] (2.2)
[https://circleci.com/gh/juiceblender/cassandra/80] (2.1)
I get the feeling some of the CCIs may fail (to my knowledge they currently
don't work on 3.X and 3.0, not sure about 2.Xs).
was (Author: lerh low):
Github branch if preferred:
[https://github.com/juiceblender/cassandra/tree/jackson-update]
CCI: [https://circleci.com/gh/juiceblender/cassandra/76]
Not sure if these should include all the previous versions (I think it should),
let me know if I'm on the right track + if I should create patches for
2.1/2.2/3.0/3. Thanks!
> Bump jackson version to >= 2.9.5
> --------------------------------
>
> Key: CASSANDRA-14427
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14427
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Lerh Chuan Low
> Assignee: Lerh Chuan Low
> Priority: Major
> Attachments: 2.1-14427.txt, 2.2-14427.txt, 3.0-14427.txt,
> 3.X-14427.txt, trunk-14427.txt
>
>
> The Jackson being used by Cassandra is really old (1.9.2, and still
> references codehaus (Jackson 1) instead of fasterxml (Jackson 2)).
> There have been a few jackson vulnerabilities recently (mostly around
> deserialization which allows arbitrary code execution)
> [https://nvd.nist.gov/vuln/detail/CVE-2017-7525]
> [https://nvd.nist.gov/vuln/detail/CVE-2017-15095]
> [https://nvd.nist.gov/vuln/detail/CVE-2018-1327]
> [https://nvd.nist.gov/vuln/detail/CVE-2018-7489]
> Given that Jackson in Cassandra is really old and seems to be used also for
> reading in values, it looks worthwhile to update Jackson to 2.9.5.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
