Merge branch 'cassandra-4.1' into cassandra-5.0

Author: smiklosovic

.build/owasp/dependency-check-suppressions.xml

@@ -44,14 +44,6 @@
         <cve>CVE-2025-25193</cve>
     </suppress>
 
-    <!-- https://issues.apache.org/jira/browse/CASSANDRA-17966 -->
-    <suppress>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <cve>CVE-2022-42003</cve>
-        <cve>CVE-2022-42004</cve>
-        <cve>CVE-2023-35116</cve>
-    </suppress>
-
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-19142 -->
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-20412 -->
     <suppress>

.build/parent-pom-template.xml

@@ -422,26 +422,27 @@
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-core</artifactId>
-        <version>2.13.2</version>
+        <version>2.19.2</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-databind</artifactId>
-        <version>2.13.2.2</version>
+        <version>2.19.2</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-annotations</artifactId>
-        <version>2.13.2</version>
+        <version>2.19.2</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.datatype</groupId>
         <artifactId>jackson-datatype-jsr310</artifactId>
-        <version>2.13.2</version>
+        <version>2.19.2</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.dataformat</groupId>
         <artifactId>jackson-dataformat-yaml</artifactId>
+        <!-- CASSANDRA-20848 2.19.x would bring snakeyaml 2.4 which is for now incompatible with rest of the codebase -->
         <version>2.13.2</version>
         <scope>test</scope>
         <exclusions>

.snyk

@@ -16,12 +16,6 @@ ignore:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
   CVE-2022-41854:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
-  CVE-2022-42003:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 -- ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
-  CVE-2022-42004:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 -- ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
-  CVE-2023-35116:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 -- ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
   CVE-2023-44487:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-18943 -- ^pkg:maven/io\.netty/netty\-.*@.*$
   CVE-2023-6378:

CHANGES.txt

@@ -1,6 +1,7 @@
 5.0.6
  * Sort SSTable TOC entries for determinism (CASSANDRA-20494)
 Merged from 4.0:
+ * Update Jackson to 2.19.2 (CASSANDRA-20848)
  * Update commons-lang3 to 3.18.0 (CASSANDRA-20849)
  * Add NativeTransportMaxConcurrentConnectionsPerIp to StorageProxyMBean (CASSANDRA-20642)
  * Make secondary index implementations notified about rows in fully expired SSTables in compaction (CASSANDRA-20829)