Thanks, Michael and Jeremiah. That’s good input. Ok, let’s not hold up the vote.
On Tue, Feb 13, 2018 at 08:58 Jeremiah D Jordan <jeremiah.jor...@gmail.com> wrote: > s/does affect/does not affect/ > > > On Feb 13, 2018, at 11:57 AM, Jeremiah D Jordan < > jeremiah.jor...@gmail.com> wrote: > > > > I don’t think we need to stop the vote. This CVE has been around for a > while (3/13/2017), and does affect any install I have ever seen. It > affects users who manually enable some specific logback features using the > SocketServer or ServerSocketReceiver component which are not used in our > default settings (or by any install I have ever seen). > > > > -Jeremiah > > > >> On Feb 13, 2018, at 11:48 AM, Jason Brown <jasedbr...@gmail.com> wrote: > >> > >> Ariel, > >> > >> If this is a legit CVE, then we would want to patch all the current > >> versions we support - which is 2.1 and higher. > >> > >> Also, is this worth stopping the current open vote for this patch? (Not > in > >> a place to look at the patch and affects to impacted branches right > now). > >> > >> Jason > >> > >> On Tue, Feb 13, 2018 at 08:43 Ariel Weisberg <ar...@weisberg.ws> wrote: > >> > >>> Hi, > >>> > >>> Seems like users could conceivably be using the vulnerable component. > Also > >>> seems like like we need potentially need to do this as far back as 2.1? > >>> > >>> Anyone else have an opinion before I commit this? What version to start > >>> from? > >>> > >>> Ariel > >>> > >>> On Tue, Feb 13, 2018, at 5:59 AM, Thiago Veronezi wrote: > >>>> Hi dev team, > >>>> > >>>> Sorry to keep bothering you. > >>>> > >>>> This is just a friendly reminder that I would like to contribute to > this > >>>> project starting with a fix for CASSANDRA-14183 > >>>> <https://issues.apache.org/jira/browse/CASSANDRA-14183>. > >>>> > >>>> []s, > >>>> Thiago. > >>>> > >>>> > >>>> > >>>> On Tue, Jan 30, 2018 at 8:05 AM, Thiago Veronezi <thi...@veronezi.org > > > >>>> wrote: > >>>> > >>>>> Hi dev team, > >>>>> > >>>>> Can one of you guys take a look on this jira ticket? > >>>>> https://issues.apache.org/jira/browse/CASSANDRA-14183 > >>>>> > >>>>> It has an a patch available for a known security issue with one of > the > >>>>> dependencies. It has only with trivial code changes. It should be > >>>>> straightforward to review it. Any feedback is very welcome. > >>>>> > >>>>> Thanks, > >>>>> Thiago > >>>>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > >>> For additional commands, e-mail: dev-h...@cassandra.apache.org > >>> > >>> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > > For additional commands, e-mail: dev-h...@cassandra.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > >
