[
https://issues.apache.org/jira/browse/CASSANDRA-20924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18022798#comment-18022798
]
Stefan Miklosovic edited comment on CASSANDRA-20924 at 9/25/25 1:45 PM:
------------------------------------------------------------------------
After bumping I see this on trunk at least:
trunk - we use netty 4.1.119 and cassandra-driver-core-3.12.1-shaded.jar
seems valid, high [4.1.91, 4.1.118)
[CVE-2025-24970|https://nvd.nist.gov/vuln/detail/CVE-2025-24970] -
cassandra-driver-core-3.12.1-shaded.jar
http related, not valid [x, 4.1.108)
[CVE-2024-29025|https://nvd.nist.gov/vuln/detail/CVE-2024-29025] -
cassandra-driver-core-3.12.1-shaded.jar
windows, not applicable, [x, 4.1.115)
[CVE-2024-47535|https://nvd.nist.gov/vuln/detail/CVE-2024-47535] -
cassandra-driver-core-3.12.1-shaded.jar
http, not applicable
[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163] -
netty-transport-4.1.119.Final.jar
http, not applicable
[CVE-2025-58056|https://nvd.nist.gov/vuln/detail/CVE-2025-58056] -
netty-transport-4.1.119.Final.jar
I am not sure we use this, says about Brotli, but patch also touches more (1)
[CVE-2025-58057|https://nvd.nist.gov/vuln/detail/CVE-2025-58057] -
netty-transport-4.1.119.Final.jar - this is fixed in 4.1.125
(1)
[https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d#diff-7f4d98f6301cd7edb79eacae3cbf3364253e4d4e739aec49828290f613459ea8]
I see all of them in 4.0 plus CVE-2023-44487 (http) and CVE-2025-25193
(windows).
was (Author: smiklosovic):
After bumping I see this on trunk at least:
trunk - we use netty 4.1.119 and cassandra-driver-core-3.12.1-shaded.jar
seems valid, high [4.1.91, 4.1.118)
[CVE-2025-24970|https://nvd.nist.gov/vuln/detail/CVE-2025-24970] -
cassandra-driver-core-3.12.1-shaded.jar
http related, not valid [x, 4.1.108)
[CVE-2024-29025|https://nvd.nist.gov/vuln/detail/CVE-2024-29025] -
cassandra-driver-core-3.12.1-shaded.jar
windows, not applicable, [x, 4.1.115)
[CVE-2024-47535|https://nvd.nist.gov/vuln/detail/CVE-2024-47535] -
cassandra-driver-core-3.12.1-shaded.jar
http, not applicable
[CVE-2025-55163|https://nvd.nist.gov/vuln/detail/CVE-2025-55163] -
netty-transport-4.1.119.Final.jar
http, not applicable
[CVE-2025-58056|https://nvd.nist.gov/vuln/detail/CVE-2025-58056] -
netty-transport-4.1.119.Final.jar
I am not sure we use this, says about Brotli, but patch also touches more (1)
[CVE-2025-58057|https://nvd.nist.gov/vuln/detail/CVE-2025-58057] -
netty-transport-4.1.119.Final.jar
(1)
[https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d#diff-7f4d98f6301cd7edb79eacae3cbf3364253e4d4e739aec49828290f613459ea8]
I see all of them in 4.0 plus CVE-2023-44487 (http) and CVE-2025-25193
(windows).
> Update dependency-check library to version 12.1.6
> -------------------------------------------------
>
> Key: CASSANDRA-20924
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20924
> Project: Apache Cassandra
> Issue Type: Task
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
>
> The current version (12.1.0) fail on unauthorized exceptions to OSS index
> which 12.1.6 skips.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
