[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17422258#comment-17422258 ] Dinesh Joshi commented on CASSANDRA-9384: - LGTM +1 > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 3.0.26, 3.11.12, 4.0.2, 4.1 > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17421970#comment-17421970 ] Stefan Miklosovic commented on CASSANDRA-9384: -- 3.0 [https://app.circleci.com/pipelines/github/instaclustr/cassandra/500/workflows/f6dd2ebf-8f3e-46e0-9dd4-5f147430614c] 3.11 [https://app.circleci.com/pipelines/github/instaclustr/cassandra/501/workflows/9019e2e2-7700-4747-bcb6-7ac3f7f68294] 4.0 [https://app.circleci.com/pipelines/github/instaclustr/cassandra/498/workflows/79dc187e-c603-4138-8df0-31a605a116f2] trunk [https://app.circleci.com/pipelines/github/instaclustr/cassandra/499/workflows/385cc82d-c680-4b01-899c-a7b834ba454c] > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17421576#comment-17421576 ] Stefan Miklosovic commented on CASSANDRA-9384: -- Thanks [~djoshi], other branches are all same (minus changes.txt / news). > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17421554#comment-17421554 ] Dinesh Joshi commented on CASSANDRA-9384: - [~stefan.miklosovic] thank you for picking up this patch. For the tiny percentage of users, if there are any, using salting rounds 31 there is no path to upgrade to the latest release without first reducing the rounds on their existing deployment. Could you also add the patches for 3.11 and 4.0 branches? I only see the 3.0 patch which I am +1 on. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17420806#comment-17420806 ] Stefan Miklosovic commented on CASSANDRA-9384: -- Hi [~djoshi], I am proposing this branch to be merged for 3.0 (1), there is "approach 1" so we fill fail unless a user does not check that the number of rounds is at most 30. We are upgrading the lib in all branches here and I will apply same patch for branch 3.11, 4.0 and trunk. Please review and give me +1 if you are ok with this. I also slightly changed the related test because if I set rounds to 30, that test has not finished in a reasonable time so it would be probably killed in Jenkins anyway. My notebook was just salting and salting ... I will create a new ticket for covering the problem I was talking about previously - user is created even though the query has time-outed. I just want to get rid of this one and not to complicate it too much for now as this is the last blocker for CASSANDRA-14612. [https://github.com/instaclustr/cassandra/commits/CASSANDRA-9384-3.0] https://app.circleci.com/pipelines/github/instaclustr/cassandra/497/workflows/1b18fb38-9aa8-4ec2-b52e-2f15f64582a0 > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17420715#comment-17420715 ] Stefan Miklosovic commented on CASSANDRA-9384: -- FYI I am dropping 2.0 branch and this will be done only for 3.0, 3.11, 4.0 and trunk. I am going with the "first approach". > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Stefan Miklosovic >Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17419777#comment-17419777 ] Sam Tunnicliffe commented on CASSANDRA-9384: Sure, sounds fair enough to me. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Normal > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17419764#comment-17419764 ] Stefan Miklosovic commented on CASSANDRA-9384: -- I would probably try to improve it in such a way that the user creation would fail if salting would take longer than query timeout limit so at least if fails without any side effects. It is not obvious and it is confusing to realize that a user was created but the query have not. What do you think about that? > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Normal > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17419761#comment-17419761 ] Sam Tunnicliffe commented on CASSANDRA-9384: bq. So I am wondering who is this feature actually good for The original implementation hardcoded the number of rounds to 2^10, but that was made configurable in CASSANDRA-8085 and the defaults discussed in CASSANDRA-14678. Maybe we could have constrained the value a bit more, instead of just allowing anything jBcrypt supported, but that ship has sailed now. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Normal > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17419739#comment-17419739 ] Stefan Miklosovic commented on CASSANDRA-9384: -- I came to the very same conclusions in 16990 and I havent checked this already exists so I closed it as duplication. While I was testing this, with 31 and I created a user, after I bumped it to 0.4, I could not even create a user anymore. If you currently set it to 31, there is a bug right ... and exactly because of that it will generate a password upon the user creation almost instantly. But if we fix this or if a user tries the previous number - 30, it will not overflow, but the change from 31 to 30 causes it to time-out - because it takes so much time to salt it so many times that the CQL command itself will time out. Same holds for whatever higher number, like 20, for example. It still hangs on my notebook (fairly modern one). Even it fails, that user WILL appear in the system_auth.roles table after like ... 2-3 minutes, depend how fast your pc is. So the query fails on timeout but the user creation succeeds eventually in the background. So I am wondering who is this feature actually good for if it become a "trial and error" until you hit the sweet spot when salting does not take eterniny and you will fit in cql timeout limit. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Normal > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17359381#comment-17359381 ] Brandon Williams commented on CASSANDRA-9384: - Looks like this ticket may have been forgotten. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Normal > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > Time Spent: 10m > Remaining Estimate: 0h > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[
https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16778536#comment-16778536
]
Dinesh Joshi commented on CASSANDRA-9384:
-
bq. First of all, there's no such property in the conf or bin files, so it will
most likely leave users confused and some may even think they have to add this
property, in case it isn't set yet.
Right, the {{cassandra.auth_bcrypt_gensalt_log2_rounds}} is not documented
anywhere in Cassandra docs. It is a JVM arg that is passed into the process. My
assumption was that only users who've passed in that property would know about
it :). I am open to rewording it to make it clearer. What do you propose?
bq. Also, what happens to existing hashes with 31 rounds? Upgrading to 0.4 will
make all authentication attempts fail, see my first comment in thread. Changing
the property will not solve this.
So Cassandra will not accept `31` at all. The user must reduce this value
prior to upgrading to this version. We can call this out explicitly in the
notes. WDYT?
> Update jBCrypt dependency to version 0.4
>
>
> Key: CASSANDRA-9384
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9384
> Project: Cassandra
> Issue Type: Bug
>Reporter: Sam Tunnicliffe
>Assignee: Dinesh Joshi
>Priority: Major
> Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2097
> Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4
> indicate that this is now fixed, so we should update.
> Thanks to [~Bereng] for identifying the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[
https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16777972#comment-16777972
]
Stefan Podkowinski commented on CASSANDRA-9384:
---
Looks like you added the following text to NEWS.txt:
{quote}Before you upgrade, confirm that
`cassandra.auth_bcrypt_gensalt_log2_rounds` property
is set to value lower than 31 otherwise Cassandra will fail to start.
See CASSANDRA-9384
for further details.{quote}
First of all, there's no such property in the conf or bin files, so it will
most likely leave users confused and some may even think they have to add this
property, in case it isn't set yet.
Also, what happens to existing hashes with 31 rounds? Upgrading to 0.4 will
make all authentication attempts fail, see my first comment in thread. Changing
the property will not solve this.
> Update jBCrypt dependency to version 0.4
>
>
> Key: CASSANDRA-9384
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9384
> Project: Cassandra
> Issue Type: Bug
>Reporter: Sam Tunnicliffe
>Assignee: Dinesh Joshi
>Priority: Major
> Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2097
> Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4
> indicate that this is now fixed, so we should update.
> Thanks to [~Bereng] for identifying the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[
https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16777410#comment-16777410
]
Dinesh Joshi commented on CASSANDRA-9384:
-
I prefer that approach as well as I think it is reasonable for operators to
lower the {{auth_bcrypt_gensalt_log2_rounds}} before they upgrade to the latest
version. Unless there are strong objections from anybody, I think we should go
ahead with it. I have updated the branches. They're here again –
||2.1||trunk||
|[branch|https://github.com/dineshjoshi/cassandra/tree/9384-cassandra-2.1]|[branch|https://github.com/dineshjoshi/cassandra/tree/9384-trunk-v2]|
|[utests &
dtests|https://circleci.com/gh/dineshjoshi/workflows/cassandra/tree/9384-cassandra-2.1]|[utests
&
dtests|https://circleci.com/gh/dineshjoshi/workflows/cassandra/tree/9384-trunk-v2]|
> Update jBCrypt dependency to version 0.4
>
>
> Key: CASSANDRA-9384
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9384
> Project: Cassandra
> Issue Type: Bug
>Reporter: Sam Tunnicliffe
>Assignee: Dinesh Joshi
>Priority: Major
> Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2097
> Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4
> indicate that this is now fixed, so we should update.
> Thanks to [~Bereng] for identifying the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16777386#comment-16777386 ] Jeff Jirsa commented on CASSANDRA-9384: --- I'd personally be ok with either, but would probably prefer approach 1 to approach 2. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[
https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773369#comment-16773369
]
Dinesh Joshi commented on CASSANDRA-9384:
-
For trunk -
# Abort start up if {{auth_bcrypt_gensalt_log2_rounds = 31}}
# Upgrade the jbcrypt binary
For versions other than trunk (Approach 1) -
# Abort start up if {{auth_bcrypt_gensalt_log2_rounds = 31}}
# Upgrade the jbcrypt binary
With this approach, the operator will have to reduce
{{auth_bcrypt_gensalt_log2_rounds}} before they upgrade C*.
For versions other than trunk (Approach 2) -
# Abort start up if {{auth_bcrypt_gensalt_log2_rounds = 31}}
# Allow operator to start C* with {{auth_bcrypt_gensalt_log2_rounds = 31}} if
they pass in {{-Dcassandra.allow_unsafe_bcrypt}}
# Don't upgrade the jbcrypt binary
Any preferences for which of the two approaches we should use for non-trunk
versions?
> Update jBCrypt dependency to version 0.4
>
>
> Key: CASSANDRA-9384
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9384
> Project: Cassandra
> Issue Type: Bug
>Reporter: Sam Tunnicliffe
>Assignee: Dinesh Joshi
>Priority: Major
> Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2097
> Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4
> indicate that this is now fixed, so we should update.
> Thanks to [~Bereng] for identifying the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773358#comment-16773358 ] Ariel Weisberg commented on CASSANDRA-9384: --- I am also in favor of failing at startup in this case for the reasons Jeff and Dinesh mentioned. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773345#comment-16773345 ] Jeff Jirsa commented on CASSANDRA-9384: --- I think failing to start is the right thing here. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773315#comment-16773315 ] Dinesh Joshi commented on CASSANDRA-9384: - [~jjirsa] I assume that people actually test new versions of C* before they deploy them in prod. With my approach, the newly updated instance will fail to come up with the bad setting. Hopefully the bounce will stop before it takes down the whole cluster. This is how I would expect bounces to behave. At this point I'd expect the operator to look into why C* failed to start and notice the error message and do a deeper investigation to fix their issue or add the override and move on. This should happen in a dev or test environment. Not prod. Consider the alternative where someone misses the warning message and doesn't read CHANGES.txt. They might get exploited because these messages went unnoticed. There is a higher chance of this making it into production without an incident. As an operator I would like security vulnerabilities fixed with a new releases and not just some log messages warning me that it exists. We can go with [~spo...@gmail.com]'s approach but I feel subtle failure is worse than explicit failure at start time. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773285#comment-16773285 ] Jeff Jirsa commented on CASSANDRA-9384: --- Think about this from the user side - - Someone's going to bounce. - They may or may not see the logs. - If they had rounds=31, the password hashes arent going to match - Newly bounced hosts will reject new connections, but the app will keep working for a while. - All the connections will stack up on the unbounced hosts until they're overloaded - Eventually the cluster will tip due to concentrating connections on a few coordinators OR you'll eventually cause an outage due to removing all coordinators with working auth. That's not a great user story. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773283#comment-16773283 ] Stefan Podkowinski commented on CASSANDRA-9384: --- We don't need to "grab attention" by having C* fail to start. We should put whats important for upgrades into NEWS.txt. So how about having that warning message and put a notice there, saying something like "check your log2_rounds settings if you're seeing the following message during startup". The user can then deliberately make the decision to change or ignore the setting. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[
https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773211#comment-16773211
]
Dinesh Joshi commented on CASSANDRA-9384:
-
Rethinking this for existing releases, I wouldn't want C* to start up with the
vulnerable setting. Normally, people don't pay attention to "WARN" messages and
C* generates so many log entries at start up that it is hard for an operator to
decide which ones they should be really concerned about.
For versions other than trunk, here's what I prefer -
# Abort start up if {{auth_bcrypt_gensalt_log2_rounds = 31}}
# Allow operator to start C* with {{auth_bcrypt_gensalt_log2_rounds = 31}} if
they pass in {{-Dcassandra.allow_unsafe_bcrypt}}
# Don't upgrade the jbcrypt binary
That way the operator has a way to use the old behavior but at least it grabs
their attention. We're technically backward compatible and not breaking anybody
except that now they have to consciously choose the bad setting. This should
not affect most users. Thoughts?
> Update jBCrypt dependency to version 0.4
>
>
> Key: CASSANDRA-9384
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9384
> Project: Cassandra
> Issue Type: Bug
>Reporter: Sam Tunnicliffe
>Assignee: Dinesh Joshi
>Priority: Major
> Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2097
> Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4
> indicate that this is now fixed, so we should update.
> Thanks to [~Bereng] for identifying the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773170#comment-16773170 ] Jeff Jirsa commented on CASSANDRA-9384: --- More from the peanut gallery: can we fix this line, which is just generally poor and confusing grammar: https://github.com/dineshjoshi/cassandra/blob/18adf79e8b53bf38ce751362b98e02b72e690a11/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java#L64 > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[
https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773169#comment-16773169
]
Jon Meredith commented on CASSANDRA-9384:
-
Small patches get the most comments...
For the trunk patch, what do you think about adding a 'Please recreate user
passwords after changing this setting' to the log message, there's very little
documentation about the setting and it might save somebody wondering why
everything is broken after an upgrade.
For the 2.1 patch, I agree bcrypt shouldn't be updated. What do you think
about changing the log message to
logger.warn("!!! IMPORTANT !!! ...")
Otherwise they'll get a WARN !!! WARNING message
> Update jBCrypt dependency to version 0.4
>
>
> Key: CASSANDRA-9384
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9384
> Project: Cassandra
> Issue Type: Bug
>Reporter: Sam Tunnicliffe
>Assignee: Dinesh Joshi
>Priority: Major
> Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2097
> Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4
> indicate that this is now fixed, so we should update.
> Thanks to [~Bereng] for identifying the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772943#comment-16772943 ] Stefan Podkowinski commented on CASSANDRA-9384: --- The bcrypt dependency should not be updated in any version but trunk in that case. The idea is to give users time to migrate to the new setting, without causing an incident during upgrades. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772491#comment-16772491 ] Dinesh Joshi commented on CASSANDRA-9384: - Good idea. Here are the updated patches for 2.1 and trunk. You might have to actually merge it up to 2.2, 3.0, 3.11. ||2.1||trunk|| |[branch|https://github.com/dineshjoshi/cassandra/tree/9384-cassandra-2.1]|[branch|https://github.com/dineshjoshi/cassandra/tree/9384-trunk-v2]| |[utests & dtests|https://circleci.com/gh/dineshjoshi/workflows/cassandra/tree/9384-cassandra-2.1]|[utests & dtests|https://circleci.com/gh/dineshjoshi/workflows/cassandra/tree/9384-trunk-v2]| || > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16770826#comment-16770826 ] Stefan Podkowinski commented on CASSANDRA-9384: --- The most sensible approach would probably to a) add a log warn statement for all 2.x/3.x users with the property set to 31 and ask them to migrate to different value b) update lib in 4.0, add NEWS.txt notice and fail hard with config error for 31 rounds > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16769828#comment-16769828 ] Dinesh Joshi commented on CASSANDRA-9384: - Correct. We can include a warning in the release notes to that effect so they don't accidentally run into issues. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[
https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16769688#comment-16769688
]
Stefan Podkowinski commented on CASSANDRA-9384:
---
First of all, this only effects users who set the
{{cassandra.auth_bcrypt_gensalt_log2_rounds}} system property to 31 for insane
hashing computation times (default is 10). For those who did, updating to 0.4
would now cause each bcrypt hashing call to fail
([0c28b698|https://github.com/djmdjm/jBCrypt/commit/0c28b698e79b132391be8333107040d774c79995])
and forces them to change the value to something else. I'm pretty sure you'd
also have to re-create all users, to update the stored hashes again with <31
rounds to make bcrypt.hashpw() accept those.
> Update jBCrypt dependency to version 0.4
>
>
> Key: CASSANDRA-9384
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9384
> Project: Cassandra
> Issue Type: Bug
>Reporter: Sam Tunnicliffe
>Assignee: Dinesh Joshi
>Priority: Major
> Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2097
> Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4
> indicate that this is now fixed, so we should update.
> Thanks to [~Bereng] for identifying the issue.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16767589#comment-16767589 ] Dinesh Joshi commented on CASSANDRA-9384: - ||2.1|| |[branch|https://github.com/dineshjoshi/cassandra/tree/9384-cassandra-2.1]| |[utests & dtests|https://circleci.com/gh/dineshjoshi/workflows/cassandra/tree/9384-cassandra-2.1]| || > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Assignee: Dinesh Joshi >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16766859#comment-16766859 ] Dinesh Joshi commented on CASSANDRA-9384: - [~esimfon] I don't believe there are strong opinions against doing this :) We just need someone to get around to doing it. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16763754#comment-16763754 ] Simon Fontana Oscarsson commented on CASSANDRA-9384: Bump. Would be nice if we could resolve this to fix [CVE-2015-0886|https://nvd.nist.gov/vuln/detail/CVE-2015-0886]. Are there any strong opinions against stepping the version? > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe >Priority: Major > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15942568#comment-15942568 ] Jeff Jirsa commented on CASSANDRA-9384: --- Not sure how I didn't notice the really obvious ticket number in that PR, but obviously there is a JIRA, and there is a concrete need, so that's embarrassing. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15942565#comment-15942565 ] ASF GitHub Bot commented on CASSANDRA-9384: --- Github user jeffjirsa commented on the issue: https://github.com/apache/cassandra/pull/93 Is there a reason you believe jbcrypt needs to be updated? We tend to only upgrade libraries when there is a concrete need. Additionally, we really prefer JIRA tickets for non-trivial changes. I encourage you to close this pull request, as the project can not close it for you. Please see http://cassandra.apache.org/doc/latest/development/patches.html for details. > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4
[ https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15864265#comment-15864265 ] ASF GitHub Bot commented on CASSANDRA-9384: --- GitHub user dysmento opened a pull request: https://github.com/apache/cassandra/pull/93 CASSANDRA-9384 bump version of jbcrypt to 0.4 org.mindrot:jbcrypt:0.4 just landed in Maven Central. Here's a version bump for Cassandra. You can merge this pull request into a Git repository by running: $ git pull https://github.com/dysmento/cassandra trunk Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cassandra/pull/93.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #93 > Update jBCrypt dependency to version 0.4 > > > Key: CASSANDRA-9384 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9384 > Project: Cassandra > Issue Type: Bug >Reporter: Sam Tunnicliffe > Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2097 > Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 > indicate that this is now fixed, so we should update. > Thanks to [~Bereng] for identifying the issue. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
