Re: Backporting CASSANDRA-17812 to 4.x

[J. D. Jordan]

If I read the ticket correctly, this is preventing bcrypt of incoming credentials from causing a DOS? I think that’s reasonable to backport.  If we want to be conservative it could be backported with added code that keeps the current behavior by default? On Nov 5, 2024, at 7:43 AM, Josh McKenzie <jmcken...@apache.org> wrote:  I'm neutral to the backport. In terms of the letter of the law, I can see the argument either way of it being an improvement or a bugfix. Definitely wouldn't -1 a backport. On Tue, Nov 5, 2024, at 7:23 AM, Mick Semb Wever wrote: Can you please put the ticket description in the email.  Saves us having to follow the link to know what you're talking about. Yes to backporting this. On Tue, 5 Nov 2024 at 10:27, Štefan Miklošovič <smikloso...@apache.org> wrote: Hello, I want to ask if there are objections for backporting CASSANDRA-17812 (1) to 4.0.x and 4.1.x. There is a question already in that ticket about backporting from another person and we keep being asked about this a lot. It seems to me that while this is technically an improvement, it is so valuable that we should make an exception here.  It is even security related. (1) https://issues.apache.org/jira/browse/CASSANDRA-17812 Regards