subject:"Re\: CASSANDRA\-14183 review request \-> logback upgrade to fix CVE"

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jeff Jirsa

gging can be easily > upgraded or changed. > -- > Jacques-Henri Berthemet > > -Original Message- > From: Ariel Weisberg [mailto:ar...@weisberg.ws] > Sent: Tuesday, February 13, 2018 6:28 PM > To: dev@cassandra.apache.org > Subject: Re: CASSANDRA-14183 review request

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jason Brown

Ariel, >> Option 4, upgrade trunk, update NEWS.TXT in prior versions warning about the vulnerability +1 to this. I'll check the ticket, as well. On Tue, Feb 13, 2018 at 9:45 AM, Ariel Weisberg wrote: > Hi, > > Option 4, upgrade trunk, update NEWS.TXT in prior versions warning about > the vulne

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Ariel Weisberg

Hi, Option 4, upgrade trunk, update NEWS.TXT in prior versions warning about the vulnerability. Ariel On Tue, Feb 13, 2018, at 12:28 PM, Ariel Weisberg wrote: > Hi, > > So our options are: > > 1. Ignore it. > Most people aren't using this functionality. > Most people aren't and shouldn't be e

RE: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jacques-Henri Berthemet

e.org Subject: Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE Hi, So our options are: 1. Ignore it. Most people aren't using this functionality. Most people aren't and shouldn't be exposing the logging port to untrusted networks But everyone loses at defense in dept

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Ariel Weisberg

Hi, So our options are: 1. Ignore it. Most people aren't using this functionality. Most people aren't and shouldn't be exposing the logging port to untrusted networks But everyone loses at defense in depth (or is it breadth) if they use this functionality and someone might expose the port 2. R

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Ariel Weisberg

Hi, I don't think the fix is in 1.1.11 looking at the diff between 1.1.11 and 1.2.0 https://github.com/qos-ch/logback/compare/v_1.1.11...v_1.2.0 I looked at 1.1.11 and 1.1.10 and didn't see it there either. When you say stuff broke do you mean stuff not in the dtests or utests? Ariel On Tue,

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jason Brown

Thanks, Michael and Jeremiah. That’s good input. Ok, let’s not hold up the vote. On Tue, Feb 13, 2018 at 08:58 Jeremiah D Jordan wrote: > s/does affect/does not affect/ > > > On Feb 13, 2018, at 11:57 AM, Jeremiah D Jordan < > jeremiah.jor...@gmail.com> wrote: > > > > I don’t think we need to s

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jeremiah D Jordan

s/does affect/does not affect/ > On Feb 13, 2018, at 11:57 AM, Jeremiah D Jordan > wrote: > > I don’t think we need to stop the vote. This CVE has been around for a while > (3/13/2017), and does affect any install I have ever seen. It affects users > who manually enable some specific logbac

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jeremiah D Jordan

I don’t think we need to stop the vote. This CVE has been around for a while (3/13/2017), and does affect any install I have ever seen. It affects users who manually enable some specific logback features using the SocketServer or ServerSocketReceiver component which are not used in our default

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Michael Shuler

I tried a logback 1.2.x jar update a number of months ago to fix the broken log rotation (try setting rotation to a large number - you'll find you only get I think it was 10 files, regardless of setting). Like we've found updating other jars in the past, this seemingly "simple" update broke a numb

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Jason Brown

Ariel, If this is a legit CVE, then we would want to patch all the current versions we support - which is 2.1 and higher. Also, is this worth stopping the current open vote for this patch? (Not in a place to look at the patch and affects to impacted branches right now). Jason On Tue, Feb 13, 20

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Ariel Weisberg

Hi, Seems like users could conceivably be using the vulnerable component. Also seems like like we need potentially need to do this as far back as 2.1? Anyone else have an opinion before I commit this? What version to start from? Ariel On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote: >

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

2018-02-13 Thread Thiago Veronezi

Hi dev team, Sorry to keep bothering you. This is just a friendly reminder that I would like to contribute to this project starting with a fix for CASSANDRA-14183 . []s, Thiago. On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi wrote: >

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

RE: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

Re: CASSANDRA-14183 review request -> logback upgrade to fix CVE

13 matches

Site Navigation

Mail list logo

Footer information