[
https://issues.apache.org/jira/browse/CASSANDRA-19654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17848457#comment-17848457
]
Jackson Fleming commented on CASSANDRA-19654:
---------------------------------------------
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721] - is the CVE
someone has flagged to us, but there's a lot more reported on the maven page
for 3.11.0
([https://mvnrepository.com/artifact/com.datastax.cassandra/cassandra-driver-core/3.11.0]
)
> Update bundled Cassandra cassandra-driver-core dependency
> ---------------------------------------------------------
>
> Key: CASSANDRA-19654
> URL: https://issues.apache.org/jira/browse/CASSANDRA-19654
> Project: Cassandra
> Issue Type: Task
> Components: Dependencies
> Reporter: Jackson Fleming
> Priority: Normal
>
> There's a dependency in Cassandra project on an old version of the Java
> driver cassandra-driver-core - 3.11.0 in the 4.0 and later releases of
> Cassandra
>
> (For example on the 4.1 branch
> [https://github.com/apache/cassandra/blob/cassandra-4.1/build.xml#L691)]
>
> It appears that this dependency may have some security vulnerabilities in
> transitive dependencies.
> But also this is a very old version of the driver, ideally it would be
> aligned to a newer version, I would suggest either 3.11.5 which is the latest
> in that line of driver versions
> [https://mvnrepository.com/artifact/com.datastax.cassandra/cassandra-driver-core|https://mvnrepository.com/artifact/com.datastax.cassandra/cassandra-driver-core)]
> or this gets updated to the latest 4.x driver (as of writing that's 4.18.1 in
> [https://mvnrepository.com/artifact/org.apache.cassandra/java-driver-core] )
> but this seems like a larger undertaking.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
