https://issues.apache.org/jira/browse/CASSANDRA-14183
2.1 NEWS.txt merged up: https://github.com/apache/cassandra/blob/cassandra-2.1/NEWS.txt#L21-L28 -- Kind regards, Michael On 2/12/19 2:49 AM, Oleksandr Shulgin wrote: > Hi, > > The latest release notes for all versions mention that logback < 1.2.0 > is subject to CVE-2017-5929 and that the logback version is not upgraded. > E.g: > https://gitbox.apache.org/repos/asf?p=cassandra.git;a=blob_plain;f=NEWS.txt;hb=refs/tags/cassandra-3.0.18 > > Indeed, when installing 3.0.18 from the deb package I still see the > older version: > > # ls -l /usr/share/cassandra/lib/logback* > -rw-r--r-- 1 root root 280926 Feb 1 18:37 > /usr/share/cassandra/lib/logback-classic-1.1.3.jar > -rw-r--r-- 1 root root 455041 Feb 1 18:37 > /usr/share/cassandra/lib/logback-core-1.1.3.jar > > Given that I can install a newer logback version, for example, using > apt-get install liblogback (which currently pulls 1.2.3), how do I make > sure Cassandra uses the newer one? > > Should I put the newer jars on CLASSPATH before starting the server? > Examining /usr/share/cassandra/cassandra.in.sh <http://cassandra.in.sh> > suggests that this is likely to do the trick, but is this the way to go > or is there a better way? > Didn't find this documented anywhere. > > Regards, > -- > Alex > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
