CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt

aweisberg · aweisberg · commit 4bbd28a043f1 · 2018-02-14T11:55:00.000-05:00
Patch by Ariel Weisberg; Reviewed by Jason Brown for CASSANDRA-14183
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -1,3 +1,6 @@
+2.1.21
+ * CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt (CASSANDRA-14183)
+
 2.1.20
  * Protect against overflow of local expiration time (CASSANDRA-14092)
  * More PEP8 compliance for cqlsh (CASSANDRA-14021)
diff --git a/NEWS.txt b/NEWS.txt
@@ -18,6 +18,15 @@ CASSANDRA-14092.txt file.
 If you use or plan to use very large TTLS (10 to 20 years), read CASSANDRA-14092.txt
 for more information.
 
+PLEASE READ: CVE-2017-5929 LOGBACK BEFORE 1.2.0 SERIALIZATION VULNERABILITY
+------------------------------------------------------------------
+QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the
+SocketServer and ServerSocketReceiver components.
+
+Logback has not been upgraded to avoid breaking deployments and customizations
+based on older versions. If you are using vulnerable components you will need
+to upgrade to a newer version of Logback or stop using the vulnerable components.
+
 GENERAL UPGRADING ADVICE FOR ANY VERSION
 ========================================
 
