Ariel, If this is a legit CVE, then we would want to patch all the current versions we support - which is 2.1 and higher.
Also, is this worth stopping the current open vote for this patch? (Not in a place to look at the patch and affects to impacted branches right now). Jason On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg <ar...@weisberg.ws> wrote: > Hi, > > Seems like users could conceivably be using the vulnerable component. Also > seems like like we need potentially need to do this as far back as 2.1? > > Anyone else have an opinion before I commit this? What version to start > from? > > Ariel > > On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote: > > Hi dev team, > > > > Sorry to keep bothering you. > > > > This is just a friendly reminder that I would like to contribute to this > > project starting with a fix for CASSANDRA-14183 > > <https://issues.apache.org/jira/browse/CASSANDRA-14183>. > > > > []s, > > Thiago. > > > > > > > > On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi <thi...@veronezi.org> > > wrote: > > > > > Hi dev team, > > > > > > Can one of you guys take a look on this jira ticket? > > > https://issues.apache.org/jira/browse/CASSANDRA-14183 > > > > > > It has an a patch available for a known security issue with one of the > > > dependencies. It has only with trivial code changes. It should be > > > straightforward to review it. Any feedback is very welcome. > > > > > > Thanks, > > > Thiago > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > >
