You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by mc...@apache.org on 2022/02/18 10:21:55 UTC

[cassandra] branch cassandra-4.0 updated (f8b3f60 -> 85fd49f)

This is an automated email from the ASF dual-hosted git repository.

mck pushed a change to branch cassandra-4.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git.


    from f8b3f60  Merge branch 'cassandra-3.11' into cassandra-4.0
     new 679740f  Added CVE-2021-44521 to CHANGES.txt, NEWS.txt
     new 593872c  Merge branch 'cassandra-3.0' into cassandra-3.11
     new 85fd49f  Merge branch 'cassandra-3.11' into cassandra-4.0

The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 CHANGES.txt |  1 +
 NEWS.txt    | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org

[cassandra] 01/01: Merge branch 'cassandra-3.11' into cassandra-4.0

Posted by mc...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

mck pushed a commit to branch cassandra-4.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git

commit 85fd49f2cf11ba6587f87c552e9081f856c74f6f
Merge: f8b3f60 593872c
Author: Mick Semb Wever <mc...@apache.org>
AuthorDate: Fri Feb 18 11:14:50 2022 +0100

    Merge branch 'cassandra-3.11' into cassandra-4.0

 CHANGES.txt |  1 +
 NEWS.txt    | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --cc CHANGES.txt
index 92efa8d,a7a7eed..bc76062
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@@ -4,46 -4,20 +4,47 @@@ Merged from 3.0
   * Lazy transaction log replica creation allows incorrect replica content divergence during anticompaction (CASSANDRA-17273)
   * LeveledCompactionStrategy disk space check improvements (CASSANDRA-17272)
  
 +4.0.3
 + * Deprecate otc_coalescing_strategy, otc_coalescing_window_us, otc_coalescing_enough_coalesced_messages,
 +   otc_backlog_expiration_interval_ms (CASSANDRA-17377)
 + * Improve start up processing of Incremental Repair information read from system.repairs (CASSANDRA-17342)
  
 -3.11.12
 +4.0.2
+  * Extend operator control over the UDF threading model for CVE-2021-44521 (CASSANDRA-17352)
 - * Upgrade snakeyaml to 1.26 in 3.11 (CASSANDRA=17028)
 + * Full Java 11 support (CASSANDRA-16894)
 + * Remove unused 'geomet' package from cqlsh path (CASSANDRA-17271)
 + * Removed unused 'cql' dependency (CASSANDRA-17247)
 + * Don't block gossip when clearing repair snapshots (CASSANDRA-17168)
 + * Deduplicate warnings for deprecated parameters (changed names) (CASSANDRA-17160)
 + * Update ant-junit to version 1.10.12 (CASSANDRA-17218)
 + * Add droppable tombstone metrics to nodetool tablestats (CASSANDRA-16308)
 + * Fix disk failure triggered when enabling FQL on an unclean directory (CASSANDRA-17136)
 + * Fixed broken classpath when multiple jars in build directory (CASSANDRA-17129)
 + * DebuggableThreadPoolExecutor does not propagate client warnings (CASSANDRA-17072)
 + * internode_send_buff_size_in_bytes and internode_recv_buff_size_in_bytes have new names. Backward compatibility with the old names added (CASSANDRA-17141)
 + * Remove unused configuration parameters from cassandra.yaml (CASSANDRA-17132)
 + * Queries performed with NODE_LOCAL consistency level do not update request metrics (CASSANDRA-17052)
 + * Fix multiple full sources can be select unexpectedly for bootstrap streaming (CASSANDRA-16945)
 + * Fix cassandra.yaml formatting of parameters (CASSANDRA-17131)
 + * Add backward compatibility for CQLSSTableWriter Date fields (CASSANDRA-17117)
 + * Push initial client connection messages to trace (CASSANDRA-17038)
 + * Correct the internode message timestamp if sending node has wrapped (CASSANDRA-16997)
 + * Avoid race causing us to return null in RangesAtEndpoint (CASSANDRA-16965)
 + * Avoid rewriting all sstables during cleanup when transient replication is enabled (CASSANDRA-16966)
 + * Prevent CQLSH from failure on Python 3.10 (CASSANDRA-16987)
 + * Avoid trying to acquire 0 permits from the rate limiter when taking snapshot (CASSANDRA-16872)
 + * Upgrade Caffeine to 2.5.6 (CASSANDRA-15153)
 + * Include SASI components to snapshots (CASSANDRA-15134)
 + * Fix missed wait latencies in the output of `nodetool tpstats -F` (CASSANDRA-16938)
 + * Remove all the state pollution between tests in SSTableReaderTest (CASSANDRA-16888)
 + * Delay auth setup until after gossip has settled to avoid unavailables on startup (CASSANDRA-16783)
 + * Fix clustering order logic in CREATE MATERIALIZED VIEW (CASSANDRA-16898)
 + * org.apache.cassandra.db.rows.ArrayCell#unsharedHeapSizeExcludingData includes data twice (CASSANDRA-16900)
 + * Exclude Jackson 1.x transitive dependency of hadoop* provided dependencies (CASSANDRA-16854)
 +Merged from 3.11:
   * Add key validation to ssstablescrub (CASSANDRA-16969)
   * Update Jackson from 2.9.10 to 2.12.5 (CASSANDRA-16851)
 - * Include SASI components to snapshots (CASSANDRA-15134)
   * Make assassinate more resilient to missing tokens (CASSANDRA-16847)
 - * Exclude Jackson 1.x transitive dependency of hadoop* provided dependencies (CASSANDRA-16854)
 - * Validate SASI tokenizer options before adding index to schema (CASSANDRA-15135)
 - * Fixup scrub output when no data post-scrub and clear up old use of row, which really means partition (CASSANDRA-16835)
 - * Fix ant-junit dependency issue (CASSANDRA-16827)
 - * Reduce thread contention in CommitLogSegment and HintsBuffer (CASSANDRA-16072)
 - * Avoid sending CDC column if not enabled (CASSANDRA-16770)
  Merged from 3.0:
   * Fix conversion from megabits to bytes in streaming rate limiter (CASSANDRA-17243)
   * Upgrade logback to 1.2.9 (CASSANDRA-17204)
diff --cc NEWS.txt
index 8599c36,1559aa8..eac73f5
--- a/NEWS.txt
+++ b/NEWS.txt
@@@ -18,6 -18,33 +18,24 @@@ CASSANDRA-14092.txt file
  If you use or plan to use very large TTLS (10 to 20 years), read CASSANDRA-14092.txt
  for more information.
  
 -PLEASE READ: CVE-2017-5929 LOGBACK BEFORE 1.2.0 SERIALIZATION VULNERABILITY
 -------------------------------------------------------------------
 -QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the
 -SocketServer and ServerSocketReceiver components.
 -
 -Logback has not been upgraded to avoid breaking deployments and customizations
 -based on older versions. If you are using vulnerable components you will need
 -to upgrade to a newer version of Logback or stop using the vulnerable components.
 -
+ PLEASE READ: CVE-2021-44521 SCRIPTED UDF SYSTEM ACCESS (CASSANDRA-17352)
+ ------------------------------------------------------------------------
+ 
+ If you have enabled scripted UDFs and run without UDF threads in cassandra.yaml:
+ 
+     enable_user_defined_functions_threads: false
+ 
+ an attacker could access java.lang.System methods and execute arbitrary code on
+ the machine. Disabling UDF threads is still considered insecure and not recommended.
+ 
+ To continue running without UDF threads you will need to set:
+ 
+     allow_insecure_udfs: true
+ 
+ and if you need access to java.lang.System for existing UDFs, set:
+ 
+     allow_extra_insecure_udfs: true
+ 
  GENERAL UPGRADING ADVICE FOR ANY VERSION
  ========================================
  

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org