subject:"CASSANDRA\-14183 review request \-> logback upgrade to fix CVE"

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jeff Jirsa

Using the internals in ThreadAwareSecurityManager has caused countless
problems, and needs to be fixed once and for all -

There are 2 different patches up for review in
https://issues.apache.org/jira/browse/CASSANDRA-13396 - would be nice if
one could be selected, and hopefully whichever is chosen can be a final
workaround for upgrading safely as well.




On Tue, Feb 13, 2018 at 9:41 AM, Jacques-Henri Berthemet <
jacques-henri.berthe...@genesys.com> wrote:

> Hi,
>
> I suppose upgrading Logback breaks Cassandra because some classes are used
> directly like in StorageService, ThreadAwareSecurityManager and
> StorageServiceMBean.
> This was a problem in my case as we're embedding Cassandra for our
> functional tests, I had to stub it as it was conflicting with log4j2
> configuration.
>
> Ideally Cassandra should only use pure SLF4J so that logging can be easily
> upgraded or changed.
> --
> Jacques-Henri Berthemet
>
> -Original Message-
> From: Ariel Weisberg [mailto:ar...@weisberg.ws]
> Sent: Tuesday, February 13, 2018 6:28 PM
> To: dev@cassandra.apache.org
> Subject: Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE
>
> Hi,
>
> So our options are:
>
> 1. Ignore it.
> Most people aren't using this functionality.
> Most people aren't and shouldn't be exposing the logging port to untrusted
> networks But everyone loses at defense in depth (or is it breadth) if they
> use this functionality and someone might expose the port
>
> 2. Remove the offending classes from the 1.1.10 jar My crazy idea, break
> it, but only for the people using the vulnerable functionality. Possibly no
> one, but probably someone. Maybe they can upgrade it manually for their
> usage?
> This also has an issue when working with maven.
>
> 3. Upgrade it
> Definitely going to break some apps according to Michael Shuler. Happened
> when he tried it.
>
> Certainly we can upgrade in trunk? While we are at it come up to the
> latest version.
>
> Ariel
>
> On Tue, Feb 13, 2018, at 12:03 PM, Ariel Weisberg wrote:
> > Hi,
> >
> > I don't think the fix is in 1.1.11 looking at the diff between 1.1.11
> > and 1.2.0
> > https://github.com/qos-ch/logback/compare/v_1.1.11...v_1.2.0
> > .com
> >
> > I looked at 1.1.11 and 1.1.10 and didn't see it there either.
> >
> > When you say stuff broke do you mean stuff not in the dtests or utests?
> >
> > Ariel
> >
> > On Tue, Feb 13, 2018, at 11:57 AM, Michael Shuler wrote:
> > > I tried a logback 1.2.x jar update a number of months ago to fix the
> > > broken log rotation (try setting rotation to a large number - you'll
> > > find you only get I think it was 10 files, regardless of setting).
> > >
> > > Like we've found updating other jars in the past, this seemingly
> > > "simple" update broke a number of application components, so we
> > > rolled it back and worked out another log rotation method.
> > >
> > > Looking at the logback changelog, I cannot tell if version 1.1.11 is
> > > fixed for this, or if that might be less breakage? There are a
> > > pretty significant number of API-looking changes from 1.1.3 to
> > > 1.2.3, so I do not wish to break other user's applications, as I have
> experienced.
> > >
> > > I do not think this should block the current releases, unless
> > > someone wants to do some significant testing and user outreach for
> > > tentatively breaking their applications.
> > >
> > > --
> > > Michael
> > >
> > > On 02/13/2018 10:48 AM, Jason Brown wrote:
> > > > Ariel,
> > > >
> > > > If this is a legit CVE, then we would want to patch all the
> > > > current versions we support - which is 2.1 and higher.
> > > >
> > > > Also, is this worth stopping the current open vote for this patch?
> > > > (Not in a place to look at the patch and affects to impacted
> branches right now).
> > > >
> > > > Jason
> > > >
> > > > On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg 
> wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> Seems like users could conceivably be using the vulnerable
> > > >> component. Also seems like like we need potentially need to do this
> as far back as 2.1?
> > > >>
> > > >> Anyone else have an opinion before I commit this? What version to
> > > >> start from?
> > > >>
> > > >> Ariel
> > > >>

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jason Brown

Ariel,

>> Option 4, upgrade trunk, update NEWS.TXT in prior versions warning about
the vulnerability

+1 to this. I'll check the ticket, as well.

On Tue, Feb 13, 2018 at 9:45 AM, Ariel Weisberg  wrote:

> Hi,
>
> Option 4, upgrade trunk, update NEWS.TXT in prior versions warning about
> the vulnerability.
>
> Ariel
>
> On Tue, Feb 13, 2018, at 12:28 PM, Ariel Weisberg wrote:
> > Hi,
> >
> > So our options are:
> >
> > 1. Ignore it.
> > Most people aren't using this functionality.
> > Most people aren't and shouldn't be exposing the logging port to
> > untrusted networks
> > But everyone loses at defense in depth (or is it breadth) if they use
> > this functionality and someone might expose the port
> >
> > 2. Remove the offending classes from the 1.1.10 jar
> > My crazy idea, break it, but only for the people using the vulnerable
> > functionality. Possibly no one, but probably someone. Maybe they can
> > upgrade it manually for their usage?
> > This also has an issue when working with maven.
> >
> > 3. Upgrade it
> > Definitely going to break some apps according to Michael Shuler.
> > Happened when he tried it.
> >
> > Certainly we can upgrade in trunk? While we are at it come up to the
> > latest version.
> >
> > Ariel
> >
> > On Tue, Feb 13, 2018, at 12:03 PM, Ariel Weisberg wrote:
> > > Hi,
> > >
> > > I don't think the fix is in 1.1.11 looking at the diff between 1.1.11
> > > and 1.2.0 https://github.com/qos-ch/logback/compare/v_1.1.11...v_1.2.0
> > >
> > > I looked at 1.1.11 and 1.1.10 and didn't see it there either.
> > >
> > > When you say stuff broke do you mean stuff not in the dtests or utests?
> > >
> > > Ariel
> > >
> > > On Tue, Feb 13, 2018, at 11:57 AM, Michael Shuler wrote:
> > > > I tried a logback 1.2.x jar update a number of months ago to fix the
> > > > broken log rotation (try setting rotation to a large number - you'll
> > > > find you only get I think it was 10 files, regardless of setting).
> > > >
> > > > Like we've found updating other jars in the past, this seemingly
> > > > "simple" update broke a number of application components, so we
> rolled
> > > > it back and worked out another log rotation method.
> > > >
> > > > Looking at the logback changelog, I cannot tell if version 1.1.11 is
> > > > fixed for this, or if that might be less breakage? There are a pretty
> > > > significant number of API-looking changes from 1.1.3 to 1.2.3, so I
> do
> > > > not wish to break other user's applications, as I have experienced.
> > > >
> > > > I do not think this should block the current releases, unless someone
> > > > wants to do some significant testing and user outreach for
> tentatively
> > > > breaking their applications.
> > > >
> > > > --
> > > > Michael
> > > >
> > > > On 02/13/2018 10:48 AM, Jason Brown wrote:
> > > > > Ariel,
> > > > >
> > > > > If this is a legit CVE, then we would want to patch all the current
> > > > > versions we support - which is 2.1 and higher.
> > > > >
> > > > > Also, is this worth stopping the current open vote for this patch?
> (Not in
> > > > > a place to look at the patch and affects to impacted branches
> right now).
> > > > >
> > > > > Jason
> > > > >
> > > > > On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg 
> wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> Seems like users could conceivably be using the vulnerable
> component. Also
> > > > >> seems like like we need potentially need to do this as far back
> as 2.1?
> > > > >>
> > > > >> Anyone else have an opinion before I commit this? What version to
> start
> > > > >> from?
> > > > >>
> > > > >> Ariel
> > > > >>
> > > > >> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
> > > > >>> Hi dev team,
> > > > >>>
> > > > >>> Sorry to keep bothering you.
> > > > >>>
> > > > >>> This is just a friendly reminder that I would like to contribute
> to this
> > > > >>> project starting with a fix for CASSANDRA-14183
> > > > >>> .
> > > > >>>
> > > > >>> []s,
> > > > >>> Thiago.
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi <
> thi...@veronezi.org>
> > > > >>> wrote:
> > > > >>>
> > > >  Hi dev team,
> > > > 
> > > >  Can one of you guys take a look on this jira ticket?
> > > >  https://issues.apache.org/jira/browse/CASSANDRA-14183
> > > > 
> > > >  It has an a patch available for a known security issue with one
> of the
> > > >  dependencies. It has only with trivial code changes. It should
> be
> > > >  straightforward to review it. Any feedback is very welcome.
> > > > 
> > > >  Thanks,
> > > >  Thiago
> > > > 
> > > > >>
> > > > >> 
> -
> > > > >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> > > > >> For additional commands, e-mail: dev-h...@cassandra.apache.org
> > > > >>
> > > > >>
> > > > >
> > > >
> > > >
> > > >

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Ariel Weisberg

Hi,

Option 4, upgrade trunk, update NEWS.TXT in prior versions warning about the 
vulnerability.

Ariel

On Tue, Feb 13, 2018, at 12:28 PM, Ariel Weisberg wrote:
> Hi,
> 
> So our options are:
> 
> 1. Ignore it.
> Most people aren't using this functionality.
> Most people aren't and shouldn't be exposing the logging port to 
> untrusted networks
> But everyone loses at defense in depth (or is it breadth) if they use 
> this functionality and someone might expose the port
> 
> 2. Remove the offending classes from the 1.1.10 jar
> My crazy idea, break it, but only for the people using the vulnerable 
> functionality. Possibly no one, but probably someone. Maybe they can 
> upgrade it manually for their usage?
> This also has an issue when working with maven.
> 
> 3. Upgrade it
> Definitely going to break some apps according to Michael Shuler. 
> Happened when he tried it.
> 
> Certainly we can upgrade in trunk? While we are at it come up to the 
> latest version.
> 
> Ariel
> 
> On Tue, Feb 13, 2018, at 12:03 PM, Ariel Weisberg wrote:
> > Hi,
> > 
> > I don't think the fix is in 1.1.11 looking at the diff between 1.1.11 
> > and 1.2.0 https://github.com/qos-ch/logback/compare/v_1.1.11...v_1.2.0
> > 
> > I looked at 1.1.11 and 1.1.10 and didn't see it there either.
> > 
> > When you say stuff broke do you mean stuff not in the dtests or utests?
> > 
> > Ariel
> > 
> > On Tue, Feb 13, 2018, at 11:57 AM, Michael Shuler wrote:
> > > I tried a logback 1.2.x jar update a number of months ago to fix the
> > > broken log rotation (try setting rotation to a large number - you'll
> > > find you only get I think it was 10 files, regardless of setting).
> > > 
> > > Like we've found updating other jars in the past, this seemingly
> > > "simple" update broke a number of application components, so we rolled
> > > it back and worked out another log rotation method.
> > > 
> > > Looking at the logback changelog, I cannot tell if version 1.1.11 is
> > > fixed for this, or if that might be less breakage? There are a pretty
> > > significant number of API-looking changes from 1.1.3 to 1.2.3, so I do
> > > not wish to break other user's applications, as I have experienced.
> > > 
> > > I do not think this should block the current releases, unless someone
> > > wants to do some significant testing and user outreach for tentatively
> > > breaking their applications.
> > > 
> > > -- 
> > > Michael
> > > 
> > > On 02/13/2018 10:48 AM, Jason Brown wrote:
> > > > Ariel,
> > > > 
> > > > If this is a legit CVE, then we would want to patch all the current
> > > > versions we support - which is 2.1 and higher.
> > > > 
> > > > Also, is this worth stopping the current open vote for this patch? (Not 
> > > > in
> > > > a place to look at the patch and affects to impacted branches right 
> > > > now).
> > > > 
> > > > Jason
> > > > 
> > > > On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg  wrote:
> > > > 
> > > >> Hi,
> > > >>
> > > >> Seems like users could conceivably be using the vulnerable component. 
> > > >> Also
> > > >> seems like like we need potentially need to do this as far back as 2.1?
> > > >>
> > > >> Anyone else have an opinion before I commit this? What version to start
> > > >> from?
> > > >>
> > > >> Ariel
> > > >>
> > > >> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
> > > >>> Hi dev team,
> > > >>>
> > > >>> Sorry to keep bothering you.
> > > >>>
> > > >>> This is just a friendly reminder that I would like to contribute to 
> > > >>> this
> > > >>> project starting with a fix for CASSANDRA-14183
> > > >>> .
> > > >>>
> > > >>> []s,
> > > >>> Thiago.
> > > >>>
> > > >>>
> > > >>>
> > > >>> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
> > > >>> wrote:
> > > >>>
> > >  Hi dev team,
> > > 
> > >  Can one of you guys take a look on this jira ticket?
> > >  https://issues.apache.org/jira/browse/CASSANDRA-14183
> > > 
> > >  It has an a patch available for a known security issue with one of 
> > >  the
> > >  dependencies. It has only with trivial code changes. It should be
> > >  straightforward to review it. Any feedback is very welcome.
> > > 
> > >  Thanks,
> > >  Thiago
> > > 
> > > >>
> > > >> -
> > > >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> > > >> For additional commands, e-mail: dev-h...@cassandra.apache.org
> > > >>
> > > >>
> > > > 
> > > 
> > > 
> > > -
> > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> > > For additional commands, e-mail: dev-h...@cassandra.apache.org
> > > 
> > 
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> > For additional commands, e-mail: dev-h...@cassandra.apache.org
> > 
> 
>

RE: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jacques-Henri Berthemet

Hi,

I suppose upgrading Logback breaks Cassandra because some classes are used 
directly like in StorageService, ThreadAwareSecurityManager and 
StorageServiceMBean.
This was a problem in my case as we're embedding Cassandra for our functional 
tests, I had to stub it as it was conflicting with log4j2 configuration.

Ideally Cassandra should only use pure SLF4J so that logging can be easily 
upgraded or changed. 
--
Jacques-Henri Berthemet

-Original Message-
From: Ariel Weisberg [mailto:ar...@weisberg.ws] 
Sent: Tuesday, February 13, 2018 6:28 PM
To: dev@cassandra.apache.org
Subject: Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Hi,

So our options are:

1. Ignore it.
Most people aren't using this functionality.
Most people aren't and shouldn't be exposing the logging port to untrusted 
networks But everyone loses at defense in depth (or is it breadth) if they use 
this functionality and someone might expose the port

2. Remove the offending classes from the 1.1.10 jar My crazy idea, break it, 
but only for the people using the vulnerable functionality. Possibly no one, 
but probably someone. Maybe they can upgrade it manually for their usage?
This also has an issue when working with maven.

3. Upgrade it
Definitely going to break some apps according to Michael Shuler. Happened when 
he tried it.

Certainly we can upgrade in trunk? While we are at it come up to the latest 
version.

Ariel

On Tue, Feb 13, 2018, at 12:03 PM, Ariel Weisberg wrote:
> Hi,
> 
> I don't think the fix is in 1.1.11 looking at the diff between 1.1.11 
> and 1.2.0 
> https://github.com/qos-ch/logback/compare/v_1.1.11...v_1.2.0
> .com
> 
> I looked at 1.1.11 and 1.1.10 and didn't see it there either.
> 
> When you say stuff broke do you mean stuff not in the dtests or utests?
> 
> Ariel
> 
> On Tue, Feb 13, 2018, at 11:57 AM, Michael Shuler wrote:
> > I tried a logback 1.2.x jar update a number of months ago to fix the 
> > broken log rotation (try setting rotation to a large number - you'll 
> > find you only get I think it was 10 files, regardless of setting).
> > 
> > Like we've found updating other jars in the past, this seemingly 
> > "simple" update broke a number of application components, so we 
> > rolled it back and worked out another log rotation method.
> > 
> > Looking at the logback changelog, I cannot tell if version 1.1.11 is 
> > fixed for this, or if that might be less breakage? There are a 
> > pretty significant number of API-looking changes from 1.1.3 to 
> > 1.2.3, so I do not wish to break other user's applications, as I have 
> > experienced.
> > 
> > I do not think this should block the current releases, unless 
> > someone wants to do some significant testing and user outreach for 
> > tentatively breaking their applications.
> > 
> > --
> > Michael
> > 
> > On 02/13/2018 10:48 AM, Jason Brown wrote:
> > > Ariel,
> > > 
> > > If this is a legit CVE, then we would want to patch all the 
> > > current versions we support - which is 2.1 and higher.
> > > 
> > > Also, is this worth stopping the current open vote for this patch? 
> > > (Not in a place to look at the patch and affects to impacted branches 
> > > right now).
> > > 
> > > Jason
> > > 
> > > On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg  wrote:
> > > 
> > >> Hi,
> > >>
> > >> Seems like users could conceivably be using the vulnerable 
> > >> component. Also seems like like we need potentially need to do this as 
> > >> far back as 2.1?
> > >>
> > >> Anyone else have an opinion before I commit this? What version to 
> > >> start from?
> > >>
> > >> Ariel
> > >>
> > >> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
> > >>> Hi dev team,
> > >>>
> > >>> Sorry to keep bothering you.
> > >>>
> > >>> This is just a friendly reminder that I would like to contribute 
> > >>> to this project starting with a fix for CASSANDRA-14183 
> > >>> <https://issues.apache.org/jira/browse/CASSANDRA-14183>.
> > >>>
> > >>> []s,
> > >>> Thiago.
> > >>>
> > >>>
> > >>>
> > >>> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
> > >>> 
> > >>> wrote:
> > >>>
> > >>>> Hi dev team,
> > >>>>
> > >>>> Can one of you guys take a look on this jira t

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Ariel Weisberg

Hi,

So our options are:

1. Ignore it.
Most people aren't using this functionality.
Most people aren't and shouldn't be exposing the logging port to untrusted 
networks
But everyone loses at defense in depth (or is it breadth) if they use this 
functionality and someone might expose the port

2. Remove the offending classes from the 1.1.10 jar
My crazy idea, break it, but only for the people using the vulnerable 
functionality. Possibly no one, but probably someone. Maybe they can upgrade it 
manually for their usage?
This also has an issue when working with maven.

3. Upgrade it
Definitely going to break some apps according to Michael Shuler. Happened when 
he tried it.

Certainly we can upgrade in trunk? While we are at it come up to the latest 
version.

Ariel

On Tue, Feb 13, 2018, at 12:03 PM, Ariel Weisberg wrote:
> Hi,
> 
> I don't think the fix is in 1.1.11 looking at the diff between 1.1.11 
> and 1.2.0 https://github.com/qos-ch/logback/compare/v_1.1.11...v_1.2.0
> 
> I looked at 1.1.11 and 1.1.10 and didn't see it there either.
> 
> When you say stuff broke do you mean stuff not in the dtests or utests?
> 
> Ariel
> 
> On Tue, Feb 13, 2018, at 11:57 AM, Michael Shuler wrote:
> > I tried a logback 1.2.x jar update a number of months ago to fix the
> > broken log rotation (try setting rotation to a large number - you'll
> > find you only get I think it was 10 files, regardless of setting).
> > 
> > Like we've found updating other jars in the past, this seemingly
> > "simple" update broke a number of application components, so we rolled
> > it back and worked out another log rotation method.
> > 
> > Looking at the logback changelog, I cannot tell if version 1.1.11 is
> > fixed for this, or if that might be less breakage? There are a pretty
> > significant number of API-looking changes from 1.1.3 to 1.2.3, so I do
> > not wish to break other user's applications, as I have experienced.
> > 
> > I do not think this should block the current releases, unless someone
> > wants to do some significant testing and user outreach for tentatively
> > breaking their applications.
> > 
> > -- 
> > Michael
> > 
> > On 02/13/2018 10:48 AM, Jason Brown wrote:
> > > Ariel,
> > > 
> > > If this is a legit CVE, then we would want to patch all the current
> > > versions we support - which is 2.1 and higher.
> > > 
> > > Also, is this worth stopping the current open vote for this patch? (Not in
> > > a place to look at the patch and affects to impacted branches right now).
> > > 
> > > Jason
> > > 
> > > On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg  wrote:
> > > 
> > >> Hi,
> > >>
> > >> Seems like users could conceivably be using the vulnerable component. 
> > >> Also
> > >> seems like like we need potentially need to do this as far back as 2.1?
> > >>
> > >> Anyone else have an opinion before I commit this? What version to start
> > >> from?
> > >>
> > >> Ariel
> > >>
> > >> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
> > >>> Hi dev team,
> > >>>
> > >>> Sorry to keep bothering you.
> > >>>
> > >>> This is just a friendly reminder that I would like to contribute to this
> > >>> project starting with a fix for CASSANDRA-14183
> > >>> .
> > >>>
> > >>> []s,
> > >>> Thiago.
> > >>>
> > >>>
> > >>>
> > >>> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
> > >>> wrote:
> > >>>
> >  Hi dev team,
> > 
> >  Can one of you guys take a look on this jira ticket?
> >  https://issues.apache.org/jira/browse/CASSANDRA-14183
> > 
> >  It has an a patch available for a known security issue with one of the
> >  dependencies. It has only with trivial code changes. It should be
> >  straightforward to review it. Any feedback is very welcome.
> > 
> >  Thanks,
> >  Thiago
> > 
> > >>
> > >> -
> > >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> > >> For additional commands, e-mail: dev-h...@cassandra.apache.org
> > >>
> > >>
> > > 
> > 
> > 
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> > For additional commands, e-mail: dev-h...@cassandra.apache.org
> > 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> For additional commands, e-mail: dev-h...@cassandra.apache.org
> 

-
To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
For additional commands, e-mail: dev-h...@cassandra.apache.org

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Ariel Weisberg

Hi,

I don't think the fix is in 1.1.11 looking at the diff between 1.1.11 and 1.2.0 
https://github.com/qos-ch/logback/compare/v_1.1.11...v_1.2.0

I looked at 1.1.11 and 1.1.10 and didn't see it there either.

When you say stuff broke do you mean stuff not in the dtests or utests?

Ariel

On Tue, Feb 13, 2018, at 11:57 AM, Michael Shuler wrote:
> I tried a logback 1.2.x jar update a number of months ago to fix the
> broken log rotation (try setting rotation to a large number - you'll
> find you only get I think it was 10 files, regardless of setting).
> 
> Like we've found updating other jars in the past, this seemingly
> "simple" update broke a number of application components, so we rolled
> it back and worked out another log rotation method.
> 
> Looking at the logback changelog, I cannot tell if version 1.1.11 is
> fixed for this, or if that might be less breakage? There are a pretty
> significant number of API-looking changes from 1.1.3 to 1.2.3, so I do
> not wish to break other user's applications, as I have experienced.
> 
> I do not think this should block the current releases, unless someone
> wants to do some significant testing and user outreach for tentatively
> breaking their applications.
> 
> -- 
> Michael
> 
> On 02/13/2018 10:48 AM, Jason Brown wrote:
> > Ariel,
> > 
> > If this is a legit CVE, then we would want to patch all the current
> > versions we support - which is 2.1 and higher.
> > 
> > Also, is this worth stopping the current open vote for this patch? (Not in
> > a place to look at the patch and affects to impacted branches right now).
> > 
> > Jason
> > 
> > On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg  wrote:
> > 
> >> Hi,
> >>
> >> Seems like users could conceivably be using the vulnerable component. Also
> >> seems like like we need potentially need to do this as far back as 2.1?
> >>
> >> Anyone else have an opinion before I commit this? What version to start
> >> from?
> >>
> >> Ariel
> >>
> >> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
> >>> Hi dev team,
> >>>
> >>> Sorry to keep bothering you.
> >>>
> >>> This is just a friendly reminder that I would like to contribute to this
> >>> project starting with a fix for CASSANDRA-14183
> >>> .
> >>>
> >>> []s,
> >>> Thiago.
> >>>
> >>>
> >>>
> >>> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
> >>> wrote:
> >>>
>  Hi dev team,
> 
>  Can one of you guys take a look on this jira ticket?
>  https://issues.apache.org/jira/browse/CASSANDRA-14183
> 
>  It has an a patch available for a known security issue with one of the
>  dependencies. It has only with trivial code changes. It should be
>  straightforward to review it. Any feedback is very welcome.
> 
>  Thanks,
>  Thiago
> 
> >>
> >> -
> >> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> >> For additional commands, e-mail: dev-h...@cassandra.apache.org
> >>
> >>
> > 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> For additional commands, e-mail: dev-h...@cassandra.apache.org
> 

-
To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
For additional commands, e-mail: dev-h...@cassandra.apache.org

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jason Brown

Thanks, Michael and Jeremiah. That’s good input.

Ok, let’s not hold up the vote.

On Tue, Feb 13, 2018 at 08:58 Jeremiah D Jordan 
wrote:

> s/does affect/does not affect/
>
> > On Feb 13, 2018, at 11:57 AM, Jeremiah D Jordan <
> jeremiah.jor...@gmail.com> wrote:
> >
> > I don’t think we need to stop the vote.  This CVE has been around for a
> while (3/13/2017), and does affect any install I have ever seen.  It
> affects users who manually enable some specific logback features using the
> SocketServer or ServerSocketReceiver component which are not used in our
> default settings (or by any install I have ever seen).
> >
> > -Jeremiah
> >
> >> On Feb 13, 2018, at 11:48 AM, Jason Brown  wrote:
> >>
> >> Ariel,
> >>
> >> If this is a legit CVE, then we would want to patch all the current
> >> versions we support - which is 2.1 and higher.
> >>
> >> Also, is this worth stopping the current open vote for this patch? (Not
> in
> >> a place to look at the patch and affects to impacted branches right
> now).
> >>
> >> Jason
> >>
> >> On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg  wrote:
> >>
> >>> Hi,
> >>>
> >>> Seems like users could conceivably be using the vulnerable component.
> Also
> >>> seems like like we need potentially need to do this as far back as 2.1?
> >>>
> >>> Anyone else have an opinion before I commit this? What version to start
> >>> from?
> >>>
> >>> Ariel
> >>>
> >>> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
>  Hi dev team,
> 
>  Sorry to keep bothering you.
> 
>  This is just a friendly reminder that I would like to contribute to
> this
>  project starting with a fix for CASSANDRA-14183
>  .
> 
>  []s,
>  Thiago.
> 
> 
> 
>  On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi  >
>  wrote:
> 
> > Hi dev team,
> >
> > Can one of you guys take a look on this jira ticket?
> > https://issues.apache.org/jira/browse/CASSANDRA-14183
> >
> > It has an a patch available for a known security issue with one of
> the
> > dependencies. It has only with trivial code changes. It should be
> > straightforward to review it. Any feedback is very welcome.
> >
> > Thanks,
> > Thiago
> >
> >>>
> >>> -
> >>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> >>> For additional commands, e-mail: dev-h...@cassandra.apache.org
> >>>
> >>>
> >
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> > For additional commands, e-mail: dev-h...@cassandra.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> For additional commands, e-mail: dev-h...@cassandra.apache.org
>
>

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jeremiah D Jordan

s/does affect/does not affect/

> On Feb 13, 2018, at 11:57 AM, Jeremiah D Jordan  
> wrote:
> 
> I don’t think we need to stop the vote.  This CVE has been around for a while 
> (3/13/2017), and does affect any install I have ever seen.  It affects users 
> who manually enable some specific logback features using the SocketServer or 
> ServerSocketReceiver component which are not used in our default settings (or 
> by any install I have ever seen).
> 
> -Jeremiah
> 
>> On Feb 13, 2018, at 11:48 AM, Jason Brown  wrote:
>> 
>> Ariel,
>> 
>> If this is a legit CVE, then we would want to patch all the current
>> versions we support - which is 2.1 and higher.
>> 
>> Also, is this worth stopping the current open vote for this patch? (Not in
>> a place to look at the patch and affects to impacted branches right now).
>> 
>> Jason
>> 
>> On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg  wrote:
>> 
>>> Hi,
>>> 
>>> Seems like users could conceivably be using the vulnerable component. Also
>>> seems like like we need potentially need to do this as far back as 2.1?
>>> 
>>> Anyone else have an opinion before I commit this? What version to start
>>> from?
>>> 
>>> Ariel
>>> 
>>> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
 Hi dev team,
 
 Sorry to keep bothering you.
 
 This is just a friendly reminder that I would like to contribute to this
 project starting with a fix for CASSANDRA-14183
 .
 
 []s,
 Thiago.
 
 
 
 On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
 wrote:
 
> Hi dev team,
> 
> Can one of you guys take a look on this jira ticket?
> https://issues.apache.org/jira/browse/CASSANDRA-14183
> 
> It has an a patch available for a known security issue with one of the
> dependencies. It has only with trivial code changes. It should be
> straightforward to review it. Any feedback is very welcome.
> 
> Thanks,
> Thiago
> 
>>> 
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
>>> For additional commands, e-mail: dev-h...@cassandra.apache.org
>>> 
>>> 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> For additional commands, e-mail: dev-h...@cassandra.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
For additional commands, e-mail: dev-h...@cassandra.apache.org

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jeremiah D Jordan

I don’t think we need to stop the vote.  This CVE has been around for a while 
(3/13/2017), and does affect any install I have ever seen.  It affects users 
who manually enable some specific logback features using the SocketServer or 
ServerSocketReceiver component which are not used in our default settings (or 
by any install I have ever seen).

-Jeremiah

> On Feb 13, 2018, at 11:48 AM, Jason Brown  wrote:
> 
> Ariel,
> 
> If this is a legit CVE, then we would want to patch all the current
> versions we support - which is 2.1 and higher.
> 
> Also, is this worth stopping the current open vote for this patch? (Not in
> a place to look at the patch and affects to impacted branches right now).
> 
> Jason
> 
> On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg  wrote:
> 
>> Hi,
>> 
>> Seems like users could conceivably be using the vulnerable component. Also
>> seems like like we need potentially need to do this as far back as 2.1?
>> 
>> Anyone else have an opinion before I commit this? What version to start
>> from?
>> 
>> Ariel
>> 
>> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
>>> Hi dev team,
>>> 
>>> Sorry to keep bothering you.
>>> 
>>> This is just a friendly reminder that I would like to contribute to this
>>> project starting with a fix for CASSANDRA-14183
>>> .
>>> 
>>> []s,
>>> Thiago.
>>> 
>>> 
>>> 
>>> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
>>> wrote:
>>> 
 Hi dev team,

 Can one of you guys take a look on this jira ticket?
 https://issues.apache.org/jira/browse/CASSANDRA-14183

 It has an a patch available for a known security issue with one of the
 dependencies. It has only with trivial code changes. It should be
 straightforward to review it. Any feedback is very welcome.

 Thanks,
 Thiago

>> 
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
>> For additional commands, e-mail: dev-h...@cassandra.apache.org
>> 
>> 

-
To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
For additional commands, e-mail: dev-h...@cassandra.apache.org

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Michael Shuler

I tried a logback 1.2.x jar update a number of months ago to fix the
broken log rotation (try setting rotation to a large number - you'll
find you only get I think it was 10 files, regardless of setting).

Like we've found updating other jars in the past, this seemingly
"simple" update broke a number of application components, so we rolled
it back and worked out another log rotation method.

Looking at the logback changelog, I cannot tell if version 1.1.11 is
fixed for this, or if that might be less breakage? There are a pretty
significant number of API-looking changes from 1.1.3 to 1.2.3, so I do
not wish to break other user's applications, as I have experienced.

I do not think this should block the current releases, unless someone
wants to do some significant testing and user outreach for tentatively
breaking their applications.

-- 
Michael

On 02/13/2018 10:48 AM, Jason Brown wrote:
> Ariel,
> 
> If this is a legit CVE, then we would want to patch all the current
> versions we support - which is 2.1 and higher.
> 
> Also, is this worth stopping the current open vote for this patch? (Not in
> a place to look at the patch and affects to impacted branches right now).
> 
> Jason
> 
> On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg  wrote:
> 
>> Hi,
>>
>> Seems like users could conceivably be using the vulnerable component. Also
>> seems like like we need potentially need to do this as far back as 2.1?
>>
>> Anyone else have an opinion before I commit this? What version to start
>> from?
>>
>> Ariel
>>
>> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
>>> Hi dev team,
>>>
>>> Sorry to keep bothering you.
>>>
>>> This is just a friendly reminder that I would like to contribute to this
>>> project starting with a fix for CASSANDRA-14183
>>> .
>>>
>>> []s,
>>> Thiago.
>>>
>>>
>>>
>>> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
>>> wrote:
>>>
 Hi dev team,

 Can one of you guys take a look on this jira ticket?
 https://issues.apache.org/jira/browse/CASSANDRA-14183

 It has an a patch available for a known security issue with one of the
 dependencies. It has only with trivial code changes. It should be
 straightforward to review it. Any feedback is very welcome.

 Thanks,
 Thiago

>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
>> For additional commands, e-mail: dev-h...@cassandra.apache.org
>>
>>
> 

-
To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
For additional commands, e-mail: dev-h...@cassandra.apache.org

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jason Brown

Ariel,

If this is a legit CVE, then we would want to patch all the current
versions we support - which is 2.1 and higher.

Also, is this worth stopping the current open vote for this patch? (Not in
a place to look at the patch and affects to impacted branches right now).

Jason

On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg  wrote:

> Hi,
>
> Seems like users could conceivably be using the vulnerable component. Also
> seems like like we need potentially need to do this as far back as 2.1?
>
> Anyone else have an opinion before I commit this? What version to start
> from?
>
> Ariel
>
> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
> > Hi dev team,
> >
> > Sorry to keep bothering you.
> >
> > This is just a friendly reminder that I would like to contribute to this
> > project starting with a fix for CASSANDRA-14183
> > .
> >
> > []s,
> > Thiago.
> >
> >
> >
> > On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
> > wrote:
> >
> > > Hi dev team,
> > >
> > > Can one of you guys take a look on this jira ticket?
> > > https://issues.apache.org/jira/browse/CASSANDRA-14183
> > >
> > > It has an a patch available for a known security issue with one of the
> > > dependencies. It has only with trivial code changes. It should be
> > > straightforward to review it. Any feedback is very welcome.
> > >
> > > Thanks,
> > > Thiago
> > >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
> For additional commands, e-mail: dev-h...@cassandra.apache.org
>
>

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Ariel Weisberg

Hi,

Seems like users could conceivably be using the vulnerable component. Also 
seems like like we need potentially need to do this as far back as 2.1?

Anyone else have an opinion before I commit this? What version to start from?

Ariel

On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote:
> Hi dev team,
> 
> Sorry to keep bothering you.
> 
> This is just a friendly reminder that I would like to contribute to this
> project starting with a fix for CASSANDRA-14183
> .
> 
> []s,
> Thiago.
> 
> 
> 
> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
> wrote:
> 
> > Hi dev team,
> >
> > Can one of you guys take a look on this jira ticket?
> > https://issues.apache.org/jira/browse/CASSANDRA-14183
> >
> > It has an a patch available for a known security issue with one of the
> > dependencies. It has only with trivial code changes. It should be
> > straightforward to review it. Any feedback is very welcome.
> >
> > Thanks,
> > Thiago
> >

-
To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org
For additional commands, e-mail: dev-h...@cassandra.apache.org

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Thiago Veronezi

Hi dev team,

Sorry to keep bothering you.

This is just a friendly reminder that I would like to contribute to this
project starting with a fix for CASSANDRA-14183
.

[]s,
Thiago.

On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi 
wrote:

> Hi dev team,
>
> Can one of you guys take a look on this jira ticket?
> https://issues.apache.org/jira/browse/CASSANDRA-14183
>
> It has an a patch available for a known security issue with one of the
> dependencies. It has only with trivial code changes. It should be
> straightforward to review it. Any feedback is very welcome.
>
> Thanks,
> Thiago
>

CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-01-30 Thread Thiago Veronezi

Hi dev team,

Can one of you guys take a look on this jira ticket?
https://issues.apache.org/jira/browse/CASSANDRA-14183

It has an a patch available for a known security issue with one of the
dependencies. It has only with trivial code changes. It should be
straightforward to review it. Any feedback is very welcome.

Thanks,
Thiago

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

RE: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

CASSANDRA-14183 review request -> logback upgrade to fix CVE

14 matches

Site Navigation

Mail list logo

Footer information