[jira] [Updated] (STORM-3918) Bump snakeyaml from 1.32 to 2.0
[ https://issues.apache.org/jira/browse/STORM-3918?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bipin Prasad updated STORM-3918: Issue Type: Dependency upgrade (was: Improvement) > Bump snakeyaml from 1.32 to 2.0 > --- > > Key: STORM-3918 > URL: https://issues.apache.org/jira/browse/STORM-3918 > Project: Apache Storm > Issue Type: Dependency upgrade > Components: storm-core >Affects Versions: 2.4.0 >Reporter: Alexandre Vermeerbergen >Assignee: Alexandre Vermeerbergen >Priority: Critical > Fix For: 2.5.0 > > > Current snakeyaml version is vulnerable to > [CVE-2022-1471|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471] > which is rated [9.8 > CRITICAL|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-1471=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H=3.1=NIST] > by NIST. > Trivial fix is to update to snakeyaml 2.0. > I tried to manually replace existing snakeyaml JAR with 2.0 version (but > keeping the same JAR file name to avoid issue with potentially hard coded > CLASSPATH), and then I restarted all Storm related processes (Nimbus, > logview, Supervisor, Nimbus UI...) and deployed some topologies => everything > worked fine > So it looks like a trivial task > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (STORM-3918) Bump snakeyaml from 1.32 to 2.0
[ https://issues.apache.org/jira/browse/STORM-3918?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bipin Prasad updated STORM-3918: Issue Type: Improvement (was: Bug) > Bump snakeyaml from 1.32 to 2.0 > --- > > Key: STORM-3918 > URL: https://issues.apache.org/jira/browse/STORM-3918 > Project: Apache Storm > Issue Type: Improvement > Components: storm-core >Affects Versions: 2.4.0 >Reporter: Alexandre Vermeerbergen >Assignee: Alexandre Vermeerbergen >Priority: Critical > Fix For: 2.5.0 > > > Current snakeyaml version is vulnerable to > [CVE-2022-1471|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471] > which is rated [9.8 > CRITICAL|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-1471=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H=3.1=NIST] > by NIST. > Trivial fix is to update to snakeyaml 2.0. > I tried to manually replace existing snakeyaml JAR with 2.0 version (but > keeping the same JAR file name to avoid issue with potentially hard coded > CLASSPATH), and then I restarted all Storm related processes (Nimbus, > logview, Supervisor, Nimbus UI...) and deployed some topologies => everything > worked fine > So it looks like a trivial task > -- This message was sent by Atlassian Jira (v8.20.10#820010)
