[ https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17791280#comment-17791280 ]
Raymond Huffman commented on CASSANDRA-18875: --------------------------------------------- No reason not to. I think the default limit is also arbitrary. The code point limit was added to "fix" this CVE https://www.cvedetails.com/cve/CVE-2022-38752 > Upgrade the snakeyaml library version > ------------------------------------- > > Key: CASSANDRA-18875 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18875 > Project: Cassandra > Issue Type: Task > Components: Local/Config > Reporter: Jai Bheemsen Rao Dhanwada > Assignee: Raymond Huffman > Priority: Normal > Fix For: 5.x > > > Apache cassandra uses 1.26 version of snakeyaml dependency and there are > several > [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] > in this version that can be fixed by upgrading to 2.x version. I understand > that this is not security issue as cassandra already uses SafeConstructor and > is not a vulnerability under OWASP, so there are no plans to fix it as per > CASSANDRA-18122 > > Cassandra as a open source used and distributed by many enterprise customers > and also when downloading cassandra as tar and using it external scanners are > not aware of the implementation of SafeConstructor have no idea if it's > vulnerable or not. > Can we consider upgrading the version to 2.x in the next releases as > snakeyaml is not something that has a large dependency between the major and > minor versions. I am happy to open a PR for this. Please let me know your > thoughts on this. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org