This is an automated email from the ASF dual-hosted git repository. mck pushed a commit to branch cassandra-4.0 in repository https://gitbox.apache.org/repos/asf/cassandra.git
commit 85fd49f2cf11ba6587f87c552e9081f856c74f6f Merge: f8b3f60 593872c Author: Mick Semb Wever <[email protected]> AuthorDate: Fri Feb 18 11:14:50 2022 +0100 Merge branch 'cassandra-3.11' into cassandra-4.0 CHANGES.txt | 1 + NEWS.txt | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --cc CHANGES.txt index 92efa8d,a7a7eed..bc76062 --- a/CHANGES.txt +++ b/CHANGES.txt @@@ -4,46 -4,20 +4,47 @@@ Merged from 3.0 * Lazy transaction log replica creation allows incorrect replica content divergence during anticompaction (CASSANDRA-17273) * LeveledCompactionStrategy disk space check improvements (CASSANDRA-17272) +4.0.3 + * Deprecate otc_coalescing_strategy, otc_coalescing_window_us, otc_coalescing_enough_coalesced_messages, + otc_backlog_expiration_interval_ms (CASSANDRA-17377) + * Improve start up processing of Incremental Repair information read from system.repairs (CASSANDRA-17342) -3.11.12 +4.0.2 + * Extend operator control over the UDF threading model for CVE-2021-44521 (CASSANDRA-17352) - * Upgrade snakeyaml to 1.26 in 3.11 (CASSANDRA=17028) + * Full Java 11 support (CASSANDRA-16894) + * Remove unused 'geomet' package from cqlsh path (CASSANDRA-17271) + * Removed unused 'cql' dependency (CASSANDRA-17247) + * Don't block gossip when clearing repair snapshots (CASSANDRA-17168) + * Deduplicate warnings for deprecated parameters (changed names) (CASSANDRA-17160) + * Update ant-junit to version 1.10.12 (CASSANDRA-17218) + * Add droppable tombstone metrics to nodetool tablestats (CASSANDRA-16308) + * Fix disk failure triggered when enabling FQL on an unclean directory (CASSANDRA-17136) + * Fixed broken classpath when multiple jars in build directory (CASSANDRA-17129) + * DebuggableThreadPoolExecutor does not propagate client warnings (CASSANDRA-17072) + * internode_send_buff_size_in_bytes and internode_recv_buff_size_in_bytes have new names. Backward compatibility with the old names added (CASSANDRA-17141) + * Remove unused configuration parameters from cassandra.yaml (CASSANDRA-17132) + * Queries performed with NODE_LOCAL consistency level do not update request metrics (CASSANDRA-17052) + * Fix multiple full sources can be select unexpectedly for bootstrap streaming (CASSANDRA-16945) + * Fix cassandra.yaml formatting of parameters (CASSANDRA-17131) + * Add backward compatibility for CQLSSTableWriter Date fields (CASSANDRA-17117) + * Push initial client connection messages to trace (CASSANDRA-17038) + * Correct the internode message timestamp if sending node has wrapped (CASSANDRA-16997) + * Avoid race causing us to return null in RangesAtEndpoint (CASSANDRA-16965) + * Avoid rewriting all sstables during cleanup when transient replication is enabled (CASSANDRA-16966) + * Prevent CQLSH from failure on Python 3.10 (CASSANDRA-16987) + * Avoid trying to acquire 0 permits from the rate limiter when taking snapshot (CASSANDRA-16872) + * Upgrade Caffeine to 2.5.6 (CASSANDRA-15153) + * Include SASI components to snapshots (CASSANDRA-15134) + * Fix missed wait latencies in the output of `nodetool tpstats -F` (CASSANDRA-16938) + * Remove all the state pollution between tests in SSTableReaderTest (CASSANDRA-16888) + * Delay auth setup until after gossip has settled to avoid unavailables on startup (CASSANDRA-16783) + * Fix clustering order logic in CREATE MATERIALIZED VIEW (CASSANDRA-16898) + * org.apache.cassandra.db.rows.ArrayCell#unsharedHeapSizeExcludingData includes data twice (CASSANDRA-16900) + * Exclude Jackson 1.x transitive dependency of hadoop* provided dependencies (CASSANDRA-16854) +Merged from 3.11: * Add key validation to ssstablescrub (CASSANDRA-16969) * Update Jackson from 2.9.10 to 2.12.5 (CASSANDRA-16851) - * Include SASI components to snapshots (CASSANDRA-15134) * Make assassinate more resilient to missing tokens (CASSANDRA-16847) - * Exclude Jackson 1.x transitive dependency of hadoop* provided dependencies (CASSANDRA-16854) - * Validate SASI tokenizer options before adding index to schema (CASSANDRA-15135) - * Fixup scrub output when no data post-scrub and clear up old use of row, which really means partition (CASSANDRA-16835) - * Fix ant-junit dependency issue (CASSANDRA-16827) - * Reduce thread contention in CommitLogSegment and HintsBuffer (CASSANDRA-16072) - * Avoid sending CDC column if not enabled (CASSANDRA-16770) Merged from 3.0: * Fix conversion from megabits to bytes in streaming rate limiter (CASSANDRA-17243) * Upgrade logback to 1.2.9 (CASSANDRA-17204) diff --cc NEWS.txt index 8599c36,1559aa8..eac73f5 --- a/NEWS.txt +++ b/NEWS.txt @@@ -18,6 -18,33 +18,24 @@@ CASSANDRA-14092.txt file If you use or plan to use very large TTLS (10 to 20 years), read CASSANDRA-14092.txt for more information. -PLEASE READ: CVE-2017-5929 LOGBACK BEFORE 1.2.0 SERIALIZATION VULNERABILITY ------------------------------------------------------------------- -QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the -SocketServer and ServerSocketReceiver components. - -Logback has not been upgraded to avoid breaking deployments and customizations -based on older versions. If you are using vulnerable components you will need -to upgrade to a newer version of Logback or stop using the vulnerable components. - + PLEASE READ: CVE-2021-44521 SCRIPTED UDF SYSTEM ACCESS (CASSANDRA-17352) + ------------------------------------------------------------------------ + + If you have enabled scripted UDFs and run without UDF threads in cassandra.yaml: + + enable_user_defined_functions_threads: false + + an attacker could access java.lang.System methods and execute arbitrary code on + the machine. Disabling UDF threads is still considered insecure and not recommended. + + To continue running without UDF threads you will need to set: + + allow_insecure_udfs: true + + and if you need access to java.lang.System for existing UDFs, set: + + allow_extra_insecure_udfs: true + GENERAL UPGRADING ADVICE FOR ANY VERSION ======================================== --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
