From commits-return-206539-archive-asf-public=cust-asf.ponee.io@cassandra.apache.org Wed Feb 14 22:28:44 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 9D38B180780 for ; Wed, 14 Feb 2018 22:28:43 +0100 (CET) Received: (qmail 86769 invoked by uid 500); 14 Feb 2018 21:28:41 -0000 Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cassandra.apache.org Delivered-To: mailing list commits@cassandra.apache.org Received: (qmail 86470 invoked by uid 99); 14 Feb 2018 21:28:41 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Feb 2018 21:28:41 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 1D0DEEE68C; Wed, 14 Feb 2018 21:28:39 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: aweisberg@apache.org To: commits@cassandra.apache.org Date: Wed, 14 Feb 2018 21:28:41 -0000 Message-Id: <8863d867685248b68cef920749235fd4@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [03/15] cassandra git commit: CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt Patch by Ariel Weisberg; Reviewed by Jason Brown for CASSANDRA-14183 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/4bbd28a0 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/4bbd28a0 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/4bbd28a0 Branch: refs/heads/trunk Commit: 4bbd28a043f15dd6c19de157acb5950319e8c16c Parents: b294943 Author: Ariel Weisberg Authored: Wed Feb 14 11:55:00 2018 -0500 Committer: Ariel Weisberg Committed: Wed Feb 14 11:55:00 2018 -0500 ---------------------------------------------------------------------- CHANGES.txt | 3 +++ NEWS.txt | 9 +++++++++ 2 files changed, 12 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/4bbd28a0/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 9332354..0c25388 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,6 @@ +2.1.21 + * CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt (CASSANDRA-14183) + 2.1.20 * Protect against overflow of local expiration time (CASSANDRA-14092) * More PEP8 compliance for cqlsh (CASSANDRA-14021) http://git-wip-us.apache.org/repos/asf/cassandra/blob/4bbd28a0/NEWS.txt ---------------------------------------------------------------------- diff --git a/NEWS.txt b/NEWS.txt index fb6b4ee..232f3cd 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -18,6 +18,15 @@ CASSANDRA-14092.txt file. If you use or plan to use very large TTLS (10 to 20 years), read CASSANDRA-14092.txt for more information. +PLEASE READ: CVE-2017-5929 LOGBACK BEFORE 1.2.0 SERIALIZATION VULNERABILITY +------------------------------------------------------------------ +QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the +SocketServer and ServerSocketReceiver components. + +Logback has not been upgraded to avoid breaking deployments and customizations +based on older versions. If you are using vulnerable components you will need +to upgrade to a newer version of Logback or stop using the vulnerable components. + GENERAL UPGRADING ADVICE FOR ANY VERSION ======================================== --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org For additional commands, e-mail: commits-help@cassandra.apache.org