[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-12-11 Thread Michael Semb Wever (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17795487#comment-17795487
 ] 

Michael Semb Wever commented on CASSANDRA-18808:


[~smiklosovic], do you want to enable owasp on ci-cassandra.a.o again please.

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-12-11 Thread Brandon Williams (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17795405#comment-17795405
 ] 

Brandon Williams commented on CASSANDRA-18808:
--

This is no longer failing OWASP, and 
https://nvd.nist.gov/vuln/detail/CVE-2023-4586 was modified on December 6th to 
be specific to Red Hat's Hot Rod client, whatever that may be.  I am not sure 
what, if anything, needs to be done on this ticket.

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-10-11 Thread Brandon Williams (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774007#comment-17774007
 ] 

Brandon Williams commented on CASSANDRA-18808:
--

I'm not sure what to think about this anymore, see CASSANDRA-18922

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-10-10 Thread Michael Semb Wever (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773771#comment-17773771
 ] 

Michael Semb Wever commented on CASSANDRA-18808:


any updates [~norman] ?

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-09-28 Thread Norman Maurer (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17770135#comment-17770135
 ] 

Norman Maurer commented on CASSANDRA-18808:
---

Sorry I didn't have time yet but its on my todo list 

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-09-19 Thread Norman Maurer (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766866#comment-17766866
 ] 

Norman Maurer commented on CASSANDRA-18808:
---

Ok will do tomorrow latest. 

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-09-19 Thread Brandon Williams (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766865#comment-17766865
 ] 

Brandon Williams commented on CASSANDRA-18808:
--

I don't think it's currently enabled, if you want to check and submit a PR that 
would be great.

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-09-19 Thread Norman Maurer (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766864#comment-17766864
 ] 

Norman Maurer commented on CASSANDRA-18808:
---

I can also verify and do a PR if needed... just let me know 

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-09-19 Thread Brandon Williams (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766853#comment-17766853
 ] 

Brandon Williams commented on CASSANDRA-18808:
--

[~jmeredithco] git blame says you are the author 
[there|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/SSLFactory.java#L359],
 would you like to take this on?

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-09-19 Thread Norman Maurer (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766849#comment-17766849
 ] 

Norman Maurer commented on CASSANDRA-18808:
---

Netty does not enable hostname verification by default. You need to enable it 
by yourself. If you already have there is nothing you need to do.

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-09-19 Thread Brandon Williams (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766847#comment-17766847
 ] 

Brandon Williams commented on CASSANDRA-18808:
--

Still no updates here.  [~norman] do you have any suggestions?

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-08-31 Thread Brandon Williams (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17760849#comment-17760849
 ] 

Brandon Williams commented on CASSANDRA-18808:
--

A CVE has been created but there is no information yet: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4586

On CASSANDRA-18812 Stefan found 
https://ossindex.sonatype.org/vulnerability/CVE-2023-4586 which looks correct 
but I'd rather wait for mitre or nist to publish something.

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.0.x, 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586

2023-08-30 Thread Brandon Williams (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17760407#comment-17760407
 ] 

Brandon Williams commented on CASSANDRA-18808:
--

I'm not able to find anything on this CVE, but experience here has shown we 
should probably just wait a few days and check again.

> netty-handler vulnerability: CVE-2023-4586
> --
>
> Key: CASSANDRA-18808
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18808
> Project: Cassandra
>  Issue Type: Bug
>  Components: Consistency/Coordination
>Reporter: Brandon Williams
>Assignee: Brandon Williams
>Priority: Normal
> Fix For: 5.x
>
>
> This is failing OWASP:
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a 
> CVSS score greater than or equal to '1.0': 
> netty-handler-4.1.96.Final.jar: CVE-2023-4586
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org