[ https://issues.apache.org/jira/browse/CASSANDRA-16528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brandon Williams updated CASSANDRA-16528: ----------------------------------------- Bug Category: Parent values: Security(12985) Complexity: Low Hanging Fruit Component/s: Dependencies Discovered By: User Report Fix Version/s: 4.0.x 3.11.x 3.0.x Severity: Normal Status: Open (was: Triage Needed) > Update Cassandra dependencies to fix security vulnerabilities > ------------------------------------------------------------- > > Key: CASSANDRA-16528 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16528 > Project: Cassandra > Issue Type: Bug > Components: Build, Dependencies > Reporter: LHX > Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x > > > There are a couple of security vulnerabilities that show up in libraries that > cassandra pulls in. > # apache commons-collections v 3.2.1 > # apache commons-beanutils v 1.7.0 > For number one, there is a well-known security vulnerability in apache > commons-collection 3.2.1 (see [https://www.kb.cert.org/vuls/id/576313] and > https://issues.apache.org/jira/browse/COLLECTIONS-580). This is > fixed/mitigated in commons-collections 3.2.2. > All current versions of cassandra (including 4.0beta4) pull in > commons-collections 3.2.1 via apache-rat 0.10. Is it possible to upgrade > apache-rat to version 0.12 in order to pull in the latest version of > commons-collections? See > [https://github.com/apache/creadur-rat/commit/2380409fbcd02b418eceacfdc1e486bdbbca9632]. > I made the below change in 3.0.24 src and recompiled without errors. > {code:java} > // code placeholder > diff --git a/cassandra/cassandra-3.0-src/build.xml > b/cassandra/cassandra-3.0-src/build.xml > index 73c9889d81..ed236443d4 100644 > --- a/cassandra/cassandra-3.0-src/build.xml > +++ b/cassandra/cassandra-3.0-src/build.xml > @@ -402,3 +402,3 @@ > <dependency groupId="org.reflections" artifactId="reflections" > version="0.9.12" /> > - <dependency groupId="org.apache.rat" artifactId="apache-rat" > version="0.10"> > + <dependency groupId="org.apache.rat" artifactId="apache-rat" > version="0.12"> > <exclusion groupId="commons-lang" artifactId="commons-lang"/> > @@ -1605,3 +1605,3 @@ > <artifact:dependencies pathId="rat.classpath"> > - <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" > version="0.6" /> > + <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" > version="0.12" /> > <remoteRepository refid="central"/> > {code} > > For number two, I was able to discern that beanutils is coming from > hadoop-core which is version 1.0.3. I believe this also is quite out of date > and could be upgraded. > Could someone take a look and see if these version upgrades are possible? > {{}} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org