[jira] [Commented] (CASSANDRA-13501) Upgrade some dependencies.
[ https://issues.apache.org/jira/browse/CASSANDRA-13501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17791957#comment-17791957 ] Kapil Shewate commented on CASSANDRA-13501: --- Cassandra 4.0.11 and 4.1.3 contains the logback version 1.2.9 , these are vulnerable to following CVE, please upgrade to the latest version of these jars. CVE : CVE-2021-42550 (BDSA-2021-3818) CVE Score : 6.6 apache-cassandra/lib/logback-classic-1.2.9.jar apache-cassandra/lib/logback-core-1.2.9.jar > Upgrade some dependencies. > -- > > Key: CASSANDRA-13501 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13501 > Project: Cassandra > Issue Type: Improvement > Components: Dependencies >Reporter: vincent royer >Priority: Low > Fix For: 3.0.x, 3.11.x, 5.x > > > Upgrade some java libraries to be able to run elasticsearch as a cassandra > plugin (an elasticsearch jar dropped in lib), see CASSANDRA-13270. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-13501) Upgrade some dependencies.
[ https://issues.apache.org/jira/browse/CASSANDRA-13501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16042549#comment-16042549 ] vincent royer commented on CASSANDRA-13501: --- Assuming there is no regression, we can switch to the latest version that you mention. For snowball-stemmer ( https://github.com/rholder/snowball-stemmer/tree/master/src/main/java/org/tartarus/snowball ), it's a bit messy, because same classes in a different version have been included in lucene-analyzers-common-5.5.4.jar (see https://github.com/apache/lucene-solr/tree/branch_5_4/lucene/analysis/common/src/java/org/tartarus/snowball ). So, depending on class loading order, you could have various behavior. I guess that at least on project (rholder/snowball-stemmer or lucene) should rename this package to avoid such a version conflict ? (The stratio lucene plugin has the same issue in version 3.10, because it also include lucene-analyzers-common-5.5.4.jar). > Upgrade some dependencies. > -- > > Key: CASSANDRA-13501 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13501 > Project: Cassandra > Issue Type: Improvement > Components: Libraries >Reporter: vincent royer >Priority: Minor > Fix For: 3.0.x, 3.11.x, 4.x > > > Upgrade some java libraries to be able to run elasticsearch as a cassandra > plugin (an elasticsearch jar dropped in lib), see CASSANDRA-13270. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-13501) Upgrade some dependencies.
[
https://issues.apache.org/jira/browse/CASSANDRA-13501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16038967#comment-16038967
]
Stefan Podkowinski commented on CASSANDRA-13501:
Some of the mentioned lib versions are also already a bit outdated.
* Latest Guava version is 22
* Latest commons-cli 1.4
* Latest commons-lang3 3.5
* Latest logback 1.2.3
* Latest jackson 1.9.13
* jna.jar has already been updated to 4.4 on trunk
* snowball-stemmer is used by SASI's {{StemmerFactory}} and {{StemmingFilter}}
and therefor can't just be removed
> Upgrade some dependencies.
> --
>
> Key: CASSANDRA-13501
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13501
> Project: Cassandra
> Issue Type: Improvement
> Components: Libraries
>Reporter: vincent royer
>Priority: Minor
> Fix For: 3.0.x, 3.11.x, 4.x
>
>
> Upgrade some java libraries to be able to run elasticsearch as a cassandra
> plugin (an elasticsearch jar dropped in lib), see CASSANDRA-13270.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-13501) Upgrade some dependencies.
[ https://issues.apache.org/jira/browse/CASSANDRA-13501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16036099#comment-16036099 ] vincent royer commented on CASSANDRA-13501: --- Upgrade these packages : Remove useless dependency to com.github.rholder.snowball-stemmer v1.3.0.581.1 to avoid conflict with lucene lucene-analyzers-common-5.5.4.jar. > Upgrade some dependencies. > -- > > Key: CASSANDRA-13501 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13501 > Project: Cassandra > Issue Type: Improvement > Components: Libraries >Reporter: vincent royer >Priority: Minor > Fix For: 3.0.x, 3.11.x, 4.x > > > Upgrade some java libraries to be able to run elasticsearch as a cassandra > plugin (an elasticsearch jar dropped in lib), see CASSANDRA-13270. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-13501) Upgrade some dependencies.
[ https://issues.apache.org/jira/browse/CASSANDRA-13501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16032667#comment-16032667 ] Stefan Podkowinski commented on CASSANDRA-13501: What are the libraries that need to be upgraded? > Upgrade some dependencies. > -- > > Key: CASSANDRA-13501 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13501 > Project: Cassandra > Issue Type: Improvement > Components: Libraries >Reporter: vincent royer >Priority: Minor > Fix For: 3.0.x, 3.11.x, 4.x > > > Upgrade some java libraries to be able to run elasticsearch as a cassandra > plugin (an elasticsearch jar dropped in lib), see CASSANDRA-13270. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
