[jira] [Commented] (CASSANDRA-18083) snakeyaml-1.26.jar: CVE-2022-41854

2022-12-04 Thread Berenguer Blasi (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17643137#comment-17643137
 ] 

Berenguer Blasi commented on CASSANDRA-18083:
-

I have been thinking instances where we would be parsing 3rd party provided 
yaml config files and I don't think we have any. CI for 4.0 seems to have a 
failure around compression but it can't be related to this change. The other 
are known flakies. LGTM +1

> snakeyaml-1.26.jar: CVE-2022-41854
> --
>
> Key: CASSANDRA-18083
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18083
> Project: Cassandra
>  Issue Type: Bug
>  Components: Dependencies
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 4.x
>
>
> https://nvd.nist.gov/vuln/detail/CVE-2022-41854



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18083) snakeyaml-1.26.jar: CVE-2022-41854

2022-11-30 Thread Brandon Williams (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17641422#comment-17641422
 ] 

Brandon Williams commented on CASSANDRA-18083:
--

3.0 also has (for snakeyaml):

https://nvd.nist.gov/vuln/detail/CVE-2022-38752
https://nvd.nist.gov/vuln/detail/CVE-2022-38751
https://nvd.nist.gov/vuln/detail/CVE-2022-38750
https://nvd.nist.gov/vuln/detail/CVE-2022-41854
https://nvd.nist.gov/vuln/detail/CVE-2022-25857
https://nvd.nist.gov/vuln/detail/CVE-2022-38749

which are all also about parsing untrusted files resulting in a DOS, a scenario 
that is not relevant to Apache Cassandra, and these are already suppressed in 
3.11 and up.

||Branch||Circle||
|[3.0|https://github.com/driftx/cassandra/tree/CASSANDRA-18083-3.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/708/workflows/1868a814-1682-4e7b-8d7f-5662d45b516b]|
|[3.11|https://github.com/driftx/cassandra/tree/CASSANDRA-18083-3.11]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/706/workflows/b1fe40aa-2683-42cd-b8d4-4626b9694796]|
|[4.0|https://github.com/driftx/cassandra/tree/CASSANDRA-18083-4.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/705/workflows/3b65caca-fa1a-4003-b7b0-45011abaf88a],
 
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/705/workflows/3b65caca-fa1a-4003-b7b0-45011abaf88a]|
|[4.1|https://github.com/driftx/cassandra/tree/CASSANDRA-18083-4.1]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/709/workflows/75af59b5-f999-4ca7-84a0-ff40622de955],
 
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/709/workflows/c7f2cde8-44c4-4a6a-af44-1952b4b5f8af]|
|[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-18083-trunk]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/707/workflows/ba4212f2-1654-4902-9f63-e0e0643f9cd6],
 
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/707/workflows/789cc3a6-e7ad-4432-b435-ba3584c553c1]|


> snakeyaml-1.26.jar: CVE-2022-41854
> --
>
> Key: CASSANDRA-18083
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18083
> Project: Cassandra
>  Issue Type: Bug
>  Components: Dependencies
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 4.x
>
>
> https://nvd.nist.gov/vuln/detail/CVE-2022-41854



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18083) snakeyaml-1.26.jar: CVE-2022-41854

2022-11-30 Thread Brandon Williams (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17641394#comment-17641394
 ] 

Brandon Williams commented on CASSANDRA-18083:
--

bq. Those using Snakeyaml to parse untrusted YAML files may be vulnerable to 
Denial of Service attacks (DOS). If the parser is running on user supplied 
input, an attacker may supply content that causes the parser to crash by stack 
overflow.

I don't think we need to worry about this, similar to CASSANDRA-17907.

> snakeyaml-1.26.jar: CVE-2022-41854
> --
>
> Key: CASSANDRA-18083
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18083
> Project: Cassandra
>  Issue Type: Bug
>  Components: Dependencies
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 4.x
>
>
> https://nvd.nist.gov/vuln/detail/CVE-2022-41854



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org