I don’t think we need to stop the vote. This CVE has been around for a while (3/13/2017), and does affect any install I have ever seen. It affects users who manually enable some specific logback features using the SocketServer or ServerSocketReceiver component which are not used in our default settings (or by any install I have ever seen).
-Jeremiah > On Feb 13, 2018, at 11:48 AM, Jason Brown <jasedbr...@gmail.com> wrote: > > Ariel, > > If this is a legit CVE, then we would want to patch all the current > versions we support - which is 2.1 and higher. > > Also, is this worth stopping the current open vote for this patch? (Not in > a place to look at the patch and affects to impacted branches right now). > > Jason > > On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg <ar...@weisberg.ws> wrote: > >> Hi, >> >> Seems like users could conceivably be using the vulnerable component. Also >> seems like like we need potentially need to do this as far back as 2.1? >> >> Anyone else have an opinion before I commit this? What version to start >> from? >> >> Ariel >> >> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote: >>> Hi dev team, >>> >>> Sorry to keep bothering you. >>> >>> This is just a friendly reminder that I would like to contribute to this >>> project starting with a fix for CASSANDRA-14183 >>> <https://issues.apache.org/jira/browse/CASSANDRA-14183>. >>> >>> []s, >>> Thiago. >>> >>> >>> >>> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi <thi...@veronezi.org> >>> wrote: >>> >>>> Hi dev team, >>>> >>>> Can one of you guys take a look on this jira ticket? >>>> https://issues.apache.org/jira/browse/CASSANDRA-14183 >>>> >>>> It has an a patch available for a known security issue with one of the >>>> dependencies. It has only with trivial code changes. It should be >>>> straightforward to review it. Any feedback is very welcome. >>>> >>>> Thanks, >>>> Thiago >>>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: dev-h...@cassandra.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
