Re: How to upgrade logback dependency

On 2/13/19 2:30 AM, Oleksandr Shulgin wrote: > On Tue, Feb 12, 2019 at 7:02 PM Michael Shuler > wrote:  > > If you are not using the logback SocketServer and ServerSocketReceiver > components, the CVE doesn't affect your server with logback 1.1.3. > > > So

Re: How to upgrade logback dependency

On Tue, Feb 12, 2019 at 7:02 PM Michael Shuler wrote: > If you are not using the logback SocketServer and ServerSocketReceiver > components, the CVE doesn't affect your server with logback 1.1.3. > So the idea is that as long as logback.xml doesn't configure any of the above, we are fine with th

Re: How to upgrade logback dependency

On 2/12/19 11:53 AM, Michael Shuler wrote: > https://issues.apache.org/jira/browse/CASSANDRA-14183 > > 2.1 NEWS.txt merged up: > https://github.com/apache/cassandra/blob/cassandra-2.1/NEWS.txt#L21-L28 I should have included that you can try simply replacing the jars in lib/ with the newer ones. L

Re: How to upgrade logback dependency

https://issues.apache.org/jira/browse/CASSANDRA-14183 2.1 NEWS.txt merged up: https://github.com/apache/cassandra/blob/cassandra-2.1/NEWS.txt#L21-L28 -- Kind regards, Michael On 2/12/19 2:49 AM, Oleksandr Shulgin wrote: > Hi, > > The latest release notes for all versions mention that logback <

How to upgrade logback dependency

Hi, The latest release notes for all versions mention that logback < 1.2.0 is subject to CVE-2017-5929 and that the logback version is not upgraded. E.g: https://gitbox.apache.org/repos/asf?p=cassandra.git;a=blob_plain;f=NEWS.txt;hb=refs/tags/cassandra-3.0.18 Indeed, when installing 3.0.18 from t