You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Michael Shuler (JIRA)" <ji...@apache.org> on 2018/02/13 18:16:00 UTC
[jira] [Commented] (CASSANDRA-14183) CVE-2017-5929 Security
vulnerability
[ https://issues.apache.org/jira/browse/CASSANDRA-14183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362773#comment-16362773 ]
Michael Shuler commented on CASSANDRA-14183:
--------------------------------------------
As discussed on the dev@ list and IRC, I have experienced third-party application failure upon updating to logback-1.2.3, so I am not keen on updating the jar in stable branches without due diligence on test updates and user notification.
I'm fine with committing an update to trunk.
Dropping in a new jar is not all that's needed for a complete fix, since we break unit tests. I attached a git patch on trunk that was created for the purpose of fixing log rotation, but it does not build properly, at the moment. It has the cql3 test changes needed, as well as some notes on obsoleted api changes in logback since 1.1.3.
I hope it helps.
> CVE-2017-5929 Security vulnerability
> ------------------------------------
>
> Key: CASSANDRA-14183
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14183
> Project: Cassandra
> Issue Type: Improvement
> Components: Libraries
> Reporter: Thiago Veronezi
> Assignee: Thiago Veronezi
> Priority: Major
> Labels: patch, security
> Fix For: 3.11.x
>
> Attachments: 0001-Update-to-logback-1.2.3-and-redefine-default-rotatio.patch
>
>
> Cassandra 3.11.1 is patched with logback 1.1.3, which contains the security vulnerability described here. [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org