[jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix

Wed, 30 Sep 2020 12:02:44 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-16150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17204967#comment-17204967
 ] 

David Capwell commented on CASSANDRA-16150:
-------------------------------------------

bq.  I think you reverted a snakeyaml upgrade patch from another ticket 
recently?

What?  [~ifesdjeen] just upgraded to 1.23 for a harry patch and he fixed a bug 
caused after the merge; trunk is currently 1.23.

bq. Just decided to mention it as, as far as I remember, the update there led 
to ClassCastExceptions.

Fixed in commit 

{code}
commit fb49ab2b12bf813697971b41fe47ac11f4a240c0
Author: Alex Petrov <oleksandr.pet...@gmail.com>
Date:   Sun Sep 20 13:24:22 2020 +0300

    Fix test failure caused by CASSANDRA-16102

    Patch by Alex Petrov; reviewed by David Capwell for CASSANDRA-16102
{code}

bq. So further to the Cassandra specifics, probably worth to check on snakeyaml 
side what breaking changes were done in the new version that might require 
additional work on our end (if it wasn't checked already)

Yep, a good place to start is unit + dtest.  I can run the dtests, was hoping 
[~crazylab] would take the unit tests.

> Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix
> -----------------------------------------------------------
>
>                 Key: CASSANDRA-16150
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16150
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Dependencies
>            Reporter: Rahul Nandi
>            Assignee: Rahul Nandi
>            Priority: Normal
>             Fix For: 4.x
>
>
> There have been critical level CVE (CVE-2017-18640) discovered in snakeyaml 
> version earlier to 1.26. This has been patched into snakeyaml version 1.26.
> Reference: [https://nvd.nist.gov/vuln/detail/CVE-2017-18640]
> This card is expected to upgrade the snakeyaml version to 1.26.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to