[
https://issues.apache.org/jira/browse/CASSANDRA-16990?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Miklosovic updated CASSANDRA-16990:
------------------------------------------
Resolution: Duplicate
Status: Resolved (was: Open)
> Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886
> ----------------------------------------------------------------
>
> Key: CASSANDRA-16990
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16990
> Project: Cassandra
> Issue Type: Task
> Components: Dependencies
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 3.0.26, 3.11.12, 4.0.2, 4.1
>
>
> We are using jbcrypto of version 0.3m across all versions, this version of
> the library was never changed since 1.1.2.
> In 0.3m they found out this (1) and (2, 3 for better explanation / reference)
> I think we are affected by this, it is possible to set 31 rounds here (4)
> which would hit the same same logic afteward these tickets are talking about.
> 1) [https://nvd.nist.gov/vuln/detail/CVE-2015-0886]
> 2) [http://www.mindrot.org/projects/jBCrypt/news/rel04.html]
> 3) [https://bugzilla.mindrot.org/show_bug.cgi?id=2097]
> 4)
> [https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/CassandraRoleManager.java#L105-L117]
> I hence propose to update the library to 0.4 where this is fixed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
