[jira] [Commented] (CASSANDRA-16464) Upgrade to logback package 1.2.0 or later fix high vulnerabilities

Jeremiah Jordan (Jira) Mon, 01 Mar 2021 14:15:06 -0800


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-16464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293199#comment-17293199
 ]


Jeremiah Jordan commented on CASSANDRA-16464:
---------------------------------------------

No.  But you could read through the ticket linked above CASSANDRA-14183 for 
some ideas on trying to make your own fork if you really want.  But per the 
NEWS.txt entry (and the CVE description) as long as you are not using the 
SockerServer logback component, you are not affected.

> Upgrade to logback package 1.2.0 or later fix high vulnerabilities
> ------------------------------------------------------------------
>
>                 Key: CASSANDRA-16464
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16464
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Dependencies
>            Reporter: Bhargav Joshi
>            Assignee: Brandon Williams
>            Priority: Normal
>             Fix For: 3.0.x
>
>
> Tag | Distro | CVE ID | Severity | Packages | Source Package | Fix Package 
> Version
> -- | -- | -- | -- | -- | -- | --
> v0.1.22 | Ubuntu-bionic | CVE-2017-5929 | critical | 
> ch.qos.logback_logback-core | 1.1.3 | fixed in 1.2.0



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-16464) Upgrade to logback package 1.2.0 or later fix high vulnerabilities

Reply via email to