[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17795487#comment-17795487 ] Michael Semb Wever commented on CASSANDRA-18808: [~smiklosovic], do you want to enable owasp on ci-cassandra.a.o again please. > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17795405#comment-17795405 ] Brandon Williams commented on CASSANDRA-18808: -- This is no longer failing OWASP, and https://nvd.nist.gov/vuln/detail/CVE-2023-4586 was modified on December 6th to be specific to Red Hat's Hot Rod client, whatever that may be. I am not sure what, if anything, needs to be done on this ticket. > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774007#comment-17774007 ] Brandon Williams commented on CASSANDRA-18808: -- I'm not sure what to think about this anymore, see CASSANDRA-18922 > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773771#comment-17773771 ] Michael Semb Wever commented on CASSANDRA-18808: any updates [~norman] ? > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17770135#comment-17770135 ] Norman Maurer commented on CASSANDRA-18808: --- Sorry I didn't have time yet but its on my todo list > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766866#comment-17766866 ] Norman Maurer commented on CASSANDRA-18808: --- Ok will do tomorrow latest. > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766865#comment-17766865 ] Brandon Williams commented on CASSANDRA-18808: -- I don't think it's currently enabled, if you want to check and submit a PR that would be great. > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766864#comment-17766864 ] Norman Maurer commented on CASSANDRA-18808: --- I can also verify and do a PR if needed... just let me know > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766853#comment-17766853 ] Brandon Williams commented on CASSANDRA-18808: -- [~jmeredithco] git blame says you are the author [there|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/SSLFactory.java#L359], would you like to take this on? > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766849#comment-17766849 ] Norman Maurer commented on CASSANDRA-18808: --- Netty does not enable hostname verification by default. You need to enable it by yourself. If you already have there is nothing you need to do. > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766847#comment-17766847 ] Brandon Williams commented on CASSANDRA-18808: -- Still no updates here. [~norman] do you have any suggestions? > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17760849#comment-17760849 ] Brandon Williams commented on CASSANDRA-18808: -- A CVE has been created but there is no information yet: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4586 On CASSANDRA-18812 Stefan found https://ossindex.sonatype.org/vulnerability/CVE-2023-4586 which looks correct but I'd rather wait for mitre or nist to publish something. > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.0.x, 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18808) netty-handler vulnerability: CVE-2023-4586
[ https://issues.apache.org/jira/browse/CASSANDRA-18808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17760407#comment-17760407 ] Brandon Williams commented on CASSANDRA-18808: -- I'm not able to find anything on this CVE, but experience here has shown we should probably just wait a few days and check again. > netty-handler vulnerability: CVE-2023-4586 > -- > > Key: CASSANDRA-18808 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18808 > Project: Cassandra > Issue Type: Bug > Components: Consistency/Coordination >Reporter: Brandon Williams >Assignee: Brandon Williams >Priority: Normal > Fix For: 5.x > > > This is failing OWASP: > {noformat} > Dependency-Check Failure: > One or more dependencies were identified with vulnerabilities that have a > CVSS score greater than or equal to '1.0': > netty-handler-4.1.96.Final.jar: CVE-2023-4586 > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org