[cassandra] 01/01: Merge branch 'cassandra-3.11' into cassandra-4.0

Tue, 24 Jan 2023 10:27:59 -0800 

This is an automated email from the ASF dual-hosted git repository.

brandonwilliams pushed a commit to branch cassandra-4.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git

commit 299ead7534a97af44035ab90002565f88f439144
Merge: 5f54d64c78 e9aa5ec514
Author: Brandon Williams <brandonwilli...@apache.org>
AuthorDate: Tue Jan 24 12:26:12 2023 -0600

    Merge branch 'cassandra-3.11' into cassandra-4.0

 .build/dependency-check-suppressions.xml | 4 ++++
 CHANGES.txt                              | 1 +
 2 files changed, 5 insertions(+)

diff --cc .build/dependency-check-suppressions.xml
index 35d9bd096f,8c5cf0f592..3c81e79c17
--- a/.build/dependency-check-suppressions.xml
+++ b/.build/dependency-check-suppressions.xml
@@@ -38,17 -30,55 +38,21 @@@
          <cve>CVE-2022-38751</cve>
          <cve>CVE-2022-38752</cve>
          <cve>CVE-2022-41854</cve>
+         <cve>CVE-2021-1471</cve>
+         <cve>CVE-2021-3064</cve>
+         <cve>CVE-2021-4235</cve>
+         <cve>CVE-2017-18640</cve>
      </suppress>
 -
 -    <!-- https://issues.apache.org/jira/browse/CASSANDRA-15417 -->
 -    <suppress>
 -        <packageUrl 
regex="true">^pkg:maven/io\.netty/netty\-all@.*$</packageUrl>
 -        <cve>CVE-2019-16869</cve>
 -        <cve>CVE-2019-20444</cve>
 -        <cve>CVE-2019-20445</cve>
 -        <cve>CVE-2020-7238</cve>
 -        <cve>CVE-2021-21290</cve>
 -        <cve>CVE-2021-21295</cve>
 -        <cve>CVE-2021-21409</cve>
 -        <cve>CVE-2021-37136</cve>
 -        <cve>CVE-2021-37137</cve>
 -        <cve>CVE-2021-43797</cve>
 -        <cve>CVE-2022-24823</cve>
 -        <cve>CVE-2022-41881</cve>
 -    </suppress>
 -
 -    <!-- https://issues.apache.org/jira/browse/CASSANDRA-14183 -->
 -    <suppress>
 -        <packageUrl 
regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
 -        <cve>CVE-2017-5929</cve>
 -    </suppress>
      <suppress>
 -        <packageUrl 
regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
 -        <cve>CVE-2017-5929</cve>
 +        <!-- dependency checker identified this as a completely different 
package (wire) -->
 +        <packageUrl 
regex="true">^pkg:maven/net\.openhft/chronicle\-wire@.*$</packageUrl>
 +        <cpe>cpe:/a:wire:wire</cpe>
      </suppress>
 -
 -    <!-- this was fixed in 3.0.22 -->
 -    <suppress>
 -        <packageUrl 
regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-core@.*$</packageUrl>
 -        <cve>CVE-2019-2684</cve>
 -        <cve>CVE-2020-13946</cve>
 -        <cve>CVE-2020-17516</cve>
 -        <cve>CVE-2021-44521</cve>
 -    </suppress>
 -
 -    <!-- https://issues.apache.org/jira/browse/CASSANDRA-14760 -->
      <suppress>
 +        <!-- not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
          <packageUrl 
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
 -        <cve>CVE-2018-10237</cve>
          <cve>CVE-2020-8908</cve>
      </suppress>
 -
      <!-- https://issues.apache.org/jira/browse/CASSANDRA-18146 -->
      <suppress>
          <packageUrl 
regex="true">^pkg:maven/org\.apache\.commons.*$</packageUrl>
diff --cc CHANGES.txt
index 0c0b1801c6,5a59323aa0..025f710a4a
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@@ -1,18 -1,7 +1,19 @@@
 -3.11.15
 +4.0.8
 + * Add safeguard so cleanup fails when node has pending ranges 
(CASSANDRA-16418)
 + * Fix legacy clustering serialization for paging with compact storage 
(CASSANDRA-17507)
 + * Add support for python 3.11 (CASSANDRA-18088)
 + * Fix formatting of duration in cqlsh (CASSANDRA-18141)
 + * Fix sstable loading of keyspaces named snapshots or backups 
(CASSANDRA-14013)
 + * Avoid ConcurrentModificationException in STCS/DTCS/TWCS.getSSTables 
(CASSANDRA-17977)
 + * Restore internode custom tracing on 4.0's new messaging system 
(CASSANDRA-17981)
 + * Harden parsing of boolean values in CQL in PropertyDefinitions 
(CASSANDRA-17878)
 + * Fix error message about type hints (CASSANDRA-17915)
 + * Fix possible race condition on repair snapshots (CASSANDRA-17955)
 + * Fix ASM bytecode version inconsistency (CASSANDRA-17873)
 +Merged from 3.11:
   * Fix Splitter sometimes creating more splits than requested 
(CASSANDRA-18013)
  Merged from 3.0:
+  * Suppress CVE-2021-1471, CVE-2021-3064, CVE-2021-4235 (CASSANDRA-18149)
   * Switch to snakeyaml's SafeConstructor (CASSANDRA-18150)
   * Expand build.dir property in rat targets (CASSANDRA-18183)
   * Suppress CVE-2022-41881 (CASSANDRA-18148)


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to