CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt Patch by Ariel Weisberg; Reviewed by Jason Brown for CASSANDRA-14183
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/4bbd28a0 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/4bbd28a0 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/4bbd28a0 Branch: refs/heads/cassandra-3.11 Commit: 4bbd28a043f15dd6c19de157acb5950319e8c16c Parents: b294943 Author: Ariel Weisberg <aweisb...@apple.com> Authored: Wed Feb 14 11:55:00 2018 -0500 Committer: Ariel Weisberg <aweisb...@apple.com> Committed: Wed Feb 14 11:55:00 2018 -0500 ---------------------------------------------------------------------- CHANGES.txt | 3 +++ NEWS.txt | 9 +++++++++ 2 files changed, 12 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/4bbd28a0/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 9332354..0c25388 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,6 @@ +2.1.21 + * CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt (CASSANDRA-14183) + 2.1.20 * Protect against overflow of local expiration time (CASSANDRA-14092) * More PEP8 compliance for cqlsh (CASSANDRA-14021) http://git-wip-us.apache.org/repos/asf/cassandra/blob/4bbd28a0/NEWS.txt ---------------------------------------------------------------------- diff --git a/NEWS.txt b/NEWS.txt index fb6b4ee..232f3cd 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -18,6 +18,15 @@ CASSANDRA-14092.txt file. If you use or plan to use very large TTLS (10 to 20 years), read CASSANDRA-14092.txt for more information. +PLEASE READ: CVE-2017-5929 LOGBACK BEFORE 1.2.0 SERIALIZATION VULNERABILITY +------------------------------------------------------------------ +QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the +SocketServer and ServerSocketReceiver components. + +Logback has not been upgraded to avoid breaking deployments and customizations +based on older versions. If you are using vulnerable components you will need +to upgrade to a newer version of Logback or stop using the vulnerable components. + GENERAL UPGRADING ADVICE FOR ANY VERSION ======================================== --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
