cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Shuler (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-14183) CVE-2017-5929 Security vulnerability
Date Tue, 13 Feb 2018 18:16:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-14183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362773#comment-16362773
] 

Michael Shuler commented on CASSANDRA-14183:
--------------------------------------------

As discussed on the dev@ list and IRC, I have experienced third-party application failure
upon updating to logback-1.2.3, so I am not keen on updating the jar in stable branches without
due diligence on test updates and user notification.

I'm fine with committing an update to trunk.

Dropping in a new jar is not all that's needed for a complete fix, since we break unit tests.
I attached a git patch on trunk that was created for the purpose of fixing log rotation, but
it does not build properly, at the moment. It has the cql3 test changes needed, as well as
some notes on obsoleted api changes in logback since 1.1.3.

I hope it helps.

> CVE-2017-5929 Security vulnerability
> ------------------------------------
>
>                 Key: CASSANDRA-14183
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14183
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Libraries
>            Reporter: Thiago Veronezi
>            Assignee: Thiago Veronezi
>            Priority: Major
>              Labels: patch, security
>             Fix For: 3.11.x
>
>         Attachments: 0001-Update-to-logback-1.2.3-and-redefine-default-rotatio.patch
>
>
> Cassandra 3.11.1 is patched with logback 1.1.3, which contains the security vulnerability
described here. [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message