You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Stefan Miklosovic (Jira)" <ji...@apache.org> on 2021/09/24 09:42:00 UTC
[jira] [Updated] (CASSANDRA-16990) Update jbcrypt library to 0.4
from 0.3m to resolve CVE-2015-0886
[ https://issues.apache.org/jira/browse/CASSANDRA-16990?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Miklosovic updated CASSANDRA-16990:
------------------------------------------
Change Category: Operability
Complexity: Low Hanging Fruit
Fix Version/s: 4.1
4.0.2
3.11.12
3.0.26
Status: Open (was: Triage Needed)
> Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886
> ----------------------------------------------------------------
>
> Key: CASSANDRA-16990
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16990
> Project: Cassandra
> Issue Type: Task
> Components: Dependencies
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 3.0.26, 3.11.12, 4.0.2, 4.1
>
>
> We are using jbcrypto of version 0.3m across all versions, this version of the library was never changed since 1.1.2.
> In 0.3m they found out it (1) and (2 for better explanation)
> I think we are affected by this, it is possible to set 31 rounds here (3) which would hit the same same logic afteward these tickets are talking about.
> 1) [http://www.mindrot.org/projects/jBCrypt/news/rel04.html]
> 2) [https://bugzilla.mindrot.org/show_bug.cgi?id=2097]
> 3) [https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/CassandraRoleManager.java#L105-L117]
> I hence propose to update the library to 0.4 where this is fixed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org