cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ekaterina Dimitrova (Jira)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-16528) Update Cassandra dependencies to fix security vulnerabilities
Date Tue, 03 Aug 2021 20:02:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-16528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17392504#comment-17392504
] 

Ekaterina Dimitrova commented on CASSANDRA-16528:
-------------------------------------------------

[~brandon.williams] Is this ticket still needed?

> Update Cassandra dependencies to fix security vulnerabilities
> -------------------------------------------------------------
>
>                 Key: CASSANDRA-16528
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16528
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Build, Dependencies
>            Reporter: LHX
>            Priority: Low
>             Fix For: 3.0.x, 3.11.x, 4.0.x
>
>
> There are a couple of security vulnerabilities that show up in libraries that cassandra
pulls in.
>  # apache commons-collections v 3.2.1
>  # apache commons-beanutils v 1.7.0
> For number one, there is a well-known security vulnerability in apache commons-collection
3.2.1 (see [https://www.kb.cert.org/vuls/id/576313] and https://issues.apache.org/jira/browse/COLLECTIONS-580).
This is fixed/mitigated in commons-collections 3.2.2.
> All current versions of cassandra (including 4.0beta4) pull in commons-collections 3.2.1
via apache-rat 0.10. Is it possible to upgrade apache-rat to version 0.12 in order to pull
in the latest version of commons-collections? See [https://github.com/apache/creadur-rat/commit/2380409fbcd02b418eceacfdc1e486bdbbca9632].
> I made the below change in 3.0.24 src and recompiled without errors.
> {code:java}
> // code placeholder
> diff --git a/cassandra/cassandra-3.0-src/build.xml b/cassandra/cassandra-3.0-src/build.xml
> index 73c9889d81..ed236443d4 100644
> --- a/cassandra/cassandra-3.0-src/build.xml
> +++ b/cassandra/cassandra-3.0-src/build.xml
> @@ -402,3 +402,3 @@
>            <dependency groupId="org.reflections" artifactId="reflections" version="0.9.12"
/>
> -          <dependency groupId="org.apache.rat" artifactId="apache-rat" version="0.10">
> +          <dependency groupId="org.apache.rat" artifactId="apache-rat" version="0.12">
>               <exclusion groupId="commons-lang" artifactId="commons-lang"/>
> @@ -1605,3 +1605,3 @@
>      <artifact:dependencies pathId="rat.classpath">
> -      <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" version="0.6"
/>
> +      <dependency groupId="org.apache.rat" artifactId="apache-rat-tasks" version="0.12"
/>
>        <remoteRepository refid="central"/>
> {code}
>  
> For number two, I was able to discern that beanutils is coming from hadoop-core which
is version 1.0.3.  I believe this also is quite out of date and could be upgraded. 
> Could someone take a look and see if these version upgrades are possible?
> {{}}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message