CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt

Patch by Ariel Weisberg; Reviewed by Jason Brown for CASSANDRA-14183


Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/4bbd28a0
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/4bbd28a0
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/4bbd28a0

Branch: refs/heads/trunk
Commit: 4bbd28a043f15dd6c19de157acb5950319e8c16c
Parents: b294943
Author: Ariel Weisberg <aweisb...@apple.com>
Authored: Wed Feb 14 11:55:00 2018 -0500
Committer: Ariel Weisberg <aweisb...@apple.com>
Committed: Wed Feb 14 11:55:00 2018 -0500

----------------------------------------------------------------------
 CHANGES.txt | 3 +++
 NEWS.txt    | 9 +++++++++
 2 files changed, 12 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cassandra/blob/4bbd28a0/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 9332354..0c25388 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,6 @@
+2.1.21
+ * CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt 
(CASSANDRA-14183)
+
 2.1.20
  * Protect against overflow of local expiration time (CASSANDRA-14092)
  * More PEP8 compliance for cqlsh (CASSANDRA-14021)

http://git-wip-us.apache.org/repos/asf/cassandra/blob/4bbd28a0/NEWS.txt
----------------------------------------------------------------------
diff --git a/NEWS.txt b/NEWS.txt
index fb6b4ee..232f3cd 100644
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -18,6 +18,15 @@ CASSANDRA-14092.txt file.
 If you use or plan to use very large TTLS (10 to 20 years), read 
CASSANDRA-14092.txt
 for more information.
 
+PLEASE READ: CVE-2017-5929 LOGBACK BEFORE 1.2.0 SERIALIZATION VULNERABILITY
+------------------------------------------------------------------
+QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the
+SocketServer and ServerSocketReceiver components.
+
+Logback has not been upgraded to avoid breaking deployments and customizations
+based on older versions. If you are using vulnerable components you will need
+to upgrade to a newer version of Logback or stop using the vulnerable 
components.
+
 GENERAL UPGRADING ADVICE FOR ANY VERSION
 ========================================
 


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to