[
https://issues.apache.org/jira/browse/CASSANDRA-14183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362773#comment-16362773
]
Michael Shuler commented on CASSANDRA-14183:
--------------------------------------------
As discussed on the dev@ list and IRC, I have experienced third-party
application failure upon updating to logback-1.2.3, so I am not keen on
updating the jar in stable branches without due diligence on test updates and
user notification.
I'm fine with committing an update to trunk.
Dropping in a new jar is not all that's needed for a complete fix, since we
break unit tests. I attached a git patch on trunk that was created for the
purpose of fixing log rotation, but it does not build properly, at the moment.
It has the cql3 test changes needed, as well as some notes on obsoleted api
changes in logback since 1.1.3.
I hope it helps.
> CVE-2017-5929 Security vulnerability
> ------------------------------------
>
> Key: CASSANDRA-14183
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14183
> Project: Cassandra
> Issue Type: Improvement
> Components: Libraries
> Reporter: Thiago Veronezi
> Assignee: Thiago Veronezi
> Priority: Major
> Labels: patch, security
> Fix For: 3.11.x
>
> Attachments:
> 0001-Update-to-logback-1.2.3-and-redefine-default-rotatio.patch
>
>
> Cassandra 3.11.1 is patched with logback 1.1.3, which contains the security
> vulnerability described here.
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
