Suppress CVE-2023-6378

Patch by brandonwilliams, reviewed by smiklosovic for CASSANDRA-19142
apache · Dec 6, 2023 · a1421ec · a1421ec
1 parent c1b1205
commit a1421ec
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/.build/dependency-check-suppressions.xml b/.build/dependency-check-suppressions.xml
@@ -107,4 +107,13 @@
         <cve>CVE-2019-17267</cve>
     </suppress>
 
+    <!-- https://issues.apache.org/jira/browse/CASSANDRA-19142 -->
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-core@.*$</packageUrl>
+        <cve>CVE-2023-6378</cve>
+    </suppress>
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback\-classic@.*$</packageUrl>
+        <cve>CVE-2023-6378</cve>
+    </suppress>
 </suppressions>
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -1,4 +1,5 @@
 3.0.30
+ * Suppress CVE-2023-6378 (CASSANDRA-19142) 
  * Do not set RPC_READY to false on transports shutdown in order to not fail counter updates for deployments with coordinator and storage nodes with transports turned off (CASSANDRA-18935)
  * Suppress CVE-2023-44487 (CASSANDRA-18943)
  * Fix nodetool enable/disablebinary to correctly set rpc readiness in gossip (CASSANDRA-18935)