Michael Shuler commented on CASSANDRA-14183:

As discussed on the dev@ list and IRC, I have experienced third-party 
application failure upon updating to logback-1.2.3, so I am not keen on 
updating the jar in stable branches without due diligence on test updates and 
user notification.

I'm fine with committing an update to trunk.

Dropping in a new jar is not all that's needed for a complete fix, since we 
break unit tests. I attached a git patch on trunk that was created for the 
purpose of fixing log rotation, but it does not build properly, at the moment. 
It has the cql3 test changes needed, as well as some notes on obsoleted api 
changes in logback since 1.1.3.

I hope it helps.

> CVE-2017-5929 Security vulnerability
> ------------------------------------
>                 Key: CASSANDRA-14183
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14183
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Libraries
>            Reporter: Thiago Veronezi
>            Assignee: Thiago Veronezi
>            Priority: Major
>              Labels: patch, security
>             Fix For: 3.11.x
>         Attachments: 
> 0001-Update-to-logback-1.2.3-and-redefine-default-rotatio.patch
> Cassandra 3.11.1 is patched with logback 1.1.3, which contains the security 
> vulnerability described here. 
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929]

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to