Hi, The latest release notes for all versions mention that logback < 1.2.0 is subject to CVE-2017-5929 and that the logback version is not upgraded. E.g: https://gitbox.apache.org/repos/asf?p=cassandra.git;a=blob_plain;f=NEWS.txt;hb=refs/tags/cassandra-3.0.18
Indeed, when installing 3.0.18 from the deb package I still see the older version: # ls -l /usr/share/cassandra/lib/logback* -rw-r--r-- 1 root root 280926 Feb 1 18:37 /usr/share/cassandra/lib/logback-classic-1.1.3.jar -rw-r--r-- 1 root root 455041 Feb 1 18:37 /usr/share/cassandra/lib/logback-core-1.1.3.jar Given that I can install a newer logback version, for example, using apt-get install liblogback (which currently pulls 1.2.3), how do I make sure Cassandra uses the newer one? Should I put the newer jars on CLASSPATH before starting the server? Examining /usr/share/cassandra/cassandra.in.sh suggests that this is likely to do the trick, but is this the way to go or is there a better way? Didn't find this documented anywhere. Regards, -- Alex
