You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Oleksandr Shulgin <ol...@zalando.de> on 2019/02/12 08:49:23 UTC
How to upgrade logback dependency
Hi,
The latest release notes for all versions mention that logback < 1.2.0 is
subject to CVE-2017-5929 and that the logback version is not upgraded.
E.g:
https://gitbox.apache.org/repos/asf?p=cassandra.git;a=blob_plain;f=NEWS.txt;hb=refs/tags/cassandra-3.0.18
Indeed, when installing 3.0.18 from the deb package I still see the older
version:
# ls -l /usr/share/cassandra/lib/logback*
-rw-r--r-- 1 root root 280926 Feb 1 18:37
/usr/share/cassandra/lib/logback-classic-1.1.3.jar
-rw-r--r-- 1 root root 455041 Feb 1 18:37
/usr/share/cassandra/lib/logback-core-1.1.3.jar
Given that I can install a newer logback version, for example, using apt-get
install liblogback (which currently pulls 1.2.3), how do I make sure
Cassandra uses the newer one?
Should I put the newer jars on CLASSPATH before starting the server?
Examining /usr/share/cassandra/cassandra.in.sh suggests that this is likely
to do the trick, but is this the way to go or is there a better way?
Didn't find this documented anywhere.
Regards,
--
Alex
Re: How to upgrade logback dependency
Posted by Michael Shuler <mi...@pbandjelly.org>.
On 2/13/19 2:30 AM, Oleksandr Shulgin wrote:
> On Tue, Feb 12, 2019 at 7:02 PM Michael Shuler <michael@pbandjelly.org
> <ma...@pbandjelly.org>> wrote:
>
> If you are not using the logback SocketServer and ServerSocketReceiver
> components, the CVE doesn't affect your server with logback 1.1.3.
>
>
> So the idea is that as long as logback.xml doesn't configure any of the
> above, we are fine with the current logback version?
This is my understanding:
The CVE attack vector is over the network when logback is configured to
send/receive logs over the network using the above components. Cassandra
is configured by default to log to local disk and does not use
ServerSocket[Receiver] in the default logback.xml.
I cannot offer an understanding of individual Cassandra user's logback
configurations, so that must be determined by the user. Thus the warning
in NEWS.txt in cassandra-2.1 thru 3.11 branches.
I can offer experience, as I mentioned in CASSANDRA-14183, that some
relatively basic application logback configurations to local disk broke
when the logback-1.2.3 jars were dropped in, since logback internals
changed. This is why the project tries to be careful when updating
libraries in older branches. We did update to logback-1.2.3 in trunk,
since major updates should be expected to possibly need configuration
changes due to library updates. This logback update in trunk also
allowed us to change the default Cassandra local logging to a much
better and non-broken-by-design strategy for users (logback-1.1.x
rotation is pretty broken, and it is intentional).
--
Kind regards,
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org
Re: How to upgrade logback dependency
Posted by Oleksandr Shulgin <ol...@zalando.de>.
On Tue, Feb 12, 2019 at 7:02 PM Michael Shuler <mi...@pbandjelly.org>
wrote:
> If you are not using the logback SocketServer and ServerSocketReceiver
> components, the CVE doesn't affect your server with logback 1.1.3.
>
So the idea is that as long as logback.xml doesn't configure any of the
above, we are fine with the current logback version?
Thanks,
--
Alex
Re: How to upgrade logback dependency
Posted by Michael Shuler <mi...@pbandjelly.org>.
On 2/12/19 11:53 AM, Michael Shuler wrote:
> https://issues.apache.org/jira/browse/CASSANDRA-14183
>
> 2.1 NEWS.txt merged up:
> https://github.com/apache/cassandra/blob/cassandra-2.1/NEWS.txt#L21-L28
I should have included that you can try simply replacing the jars in
lib/ with the newer ones. Logging may break.
If you are not using the logback SocketServer and ServerSocketReceiver
components, the CVE doesn't affect your server with logback 1.1.3.
--
Kind regards,
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org
Re: How to upgrade logback dependency
Posted by Michael Shuler <mi...@pbandjelly.org>.
https://issues.apache.org/jira/browse/CASSANDRA-14183
2.1 NEWS.txt merged up:
https://github.com/apache/cassandra/blob/cassandra-2.1/NEWS.txt#L21-L28
--
Kind regards,
Michael
On 2/12/19 2:49 AM, Oleksandr Shulgin wrote:
> Hi,
>
> The latest release notes for all versions mention that logback < 1.2.0
> is subject to CVE-2017-5929 and that the logback version is not upgraded.
> E.g: https://gitbox.apache.org/repos/asf?p=cassandra.git;a=blob_plain;f=NEWS.txt;hb=refs/tags/cassandra-3.0.18
>
> Indeed, when installing 3.0.18 from the deb package I still see the
> older version:
>
> # ls -l /usr/share/cassandra/lib/logback*
> -rw-r--r-- 1 root root 280926 Feb 1 18:37
> /usr/share/cassandra/lib/logback-classic-1.1.3.jar
> -rw-r--r-- 1 root root 455041 Feb 1 18:37
> /usr/share/cassandra/lib/logback-core-1.1.3.jar
>
> Given that I can install a newer logback version, for example, using
> apt-get install liblogback (which currently pulls 1.2.3), how do I make
> sure Cassandra uses the newer one?
>
> Should I put the newer jars on CLASSPATH before starting the server?
> Examining /usr/share/cassandra/cassandra.in.sh <http://cassandra.in.sh>
> suggests that this is likely to do the trick, but is this the way to go
> or is there a better way?
> Didn't find this documented anywhere.
>
> Regards,
> --
> Alex
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org