[
https://issues.apache.org/jira/browse/CASSANDRA-16990?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Miklosovic updated CASSANDRA-16990:
------------------------------------------
Description:
We are using jbcrypto of version 0.3m across all versions, this version of the
library was never changed since 1.1.2.
In 0.3m they found out this (1) and (2, 3 for better explanation / reference)
I think we are affected by this, it is possible to set 31 rounds here (4) which
would hit the same same logic afteward these tickets are talking about.
1) [https://nvd.nist.gov/vuln/detail/CVE-2015-0886]
2) [http://www.mindrot.org/projects/jBCrypt/news/rel04.html]
3) [https://bugzilla.mindrot.org/show_bug.cgi?id=2097]
4)
[https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/CassandraRoleManager.java#L105-L117]
I hence propose to update the library to 0.4 where this is fixed.
was:
We are using jbcrypto of version 0.3m across all versions, this version of the
library was never changed since 1.1.2.
In 0.3m they found out it (1) and (2 for better explanation)
I think we are affected by this, it is possible to set 31 rounds here (3) which
would hit the same same logic afteward these tickets are talking about.
1) [http://www.mindrot.org/projects/jBCrypt/news/rel04.html]
2) [https://bugzilla.mindrot.org/show_bug.cgi?id=2097]
3)
[https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/CassandraRoleManager.java#L105-L117]
I hence propose to update the library to 0.4 where this is fixed.
> Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886
> ----------------------------------------------------------------
>
> Key: CASSANDRA-16990
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16990
> Project: Cassandra
> Issue Type: Task
> Components: Dependencies
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 3.0.26, 3.11.12, 4.0.2, 4.1
>
>
> We are using jbcrypto of version 0.3m across all versions, this version of
> the library was never changed since 1.1.2.
> In 0.3m they found out this (1) and (2, 3 for better explanation / reference)
> I think we are affected by this, it is possible to set 31 rounds here (4)
> which would hit the same same logic afteward these tickets are talking about.
> 1) [https://nvd.nist.gov/vuln/detail/CVE-2015-0886]
> 2) [http://www.mindrot.org/projects/jBCrypt/news/rel04.html]
> 3) [https://bugzilla.mindrot.org/show_bug.cgi?id=2097]
> 4)
> [https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/CassandraRoleManager.java#L105-L117]
> I hence propose to update the library to 0.4 where this is fixed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
