remote execution of arbitrary code http://www.mail-archive.com/user@cassandra.apache.org/msg41819.html
Created attachment 157082 [details] security/vuxml documentation for Apache Cassandra CVE-2015-0225 Per upstream security advisory, 1.2.x has reached EOL so there is not going to be update that will fix databases/cassandra. As such, start by documenting the upstream advisory in security/vuxml. # # Validation Checks # # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # # Pkg audit checks, starting with fixed version and working downward # # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cassandra2-2.1.4 0 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cassandra2-2.1.1 cassandra2-2.1.1 is vulnerable: cassandra -- remote execution of arbitrary code CVE: CVE-2015-0225 WWW: http://vuxml.FreeBSD.org/freebsd/607f4d44-0158-11e5-8fda-002590263bf5.html 1 problem(s) in the installed packages found. root@xts-bsd /u/p/s/vuxml# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cassandra2-2.0.10 cassandra2-2.0.10 is vulnerable: cassandra -- remote execution of arbitrary code CVE: CVE-2015-0225 WWW: http://vuxml.FreeBSD.org/freebsd/607f4d44-0158-11e5-8fda-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cassandra-1.2.18 cassandra-1.2.18 is vulnerable: cassandra -- remote execution of arbitrary code CVE: CVE-2015-0225 WWW: http://vuxml.FreeBSD.org/freebsd/607f4d44-0158-11e5-8fda-002590263bf5.html 1 problem(s) in the installed packages found.
Committed, thanks!
A commit references this bug: Author: delphij Date: Sun May 24 07:29:10 UTC 2015 New revision: 387252 URL: https://svnweb.freebsd.org/changeset/ports/387252 Log: Document cassandra remote code execution vulnerability. PR: 199091 Submitted by: Jason Unovitch <jason unovitch gmail com> Changes: head/security/vuxml/vuln.xml
Reopen: the port is still unfixed.
Created attachment 157272 [details] Document FORBIDDEN and DEPRECATED Patch attached to document EOL per the upstream security advisory notification. Feedback requested on patch. 1. My question is what is the realistic criteria toward marking the port as FORBIDDEN and DEPRECATED in light of the above? Supporting discussion on that question. Per the security advisory [Link 1]: 1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade to a supported version of Cassandra, or manually configure encryption and authentication of JMX, I requested some additional information from the Cassandra-users mailing list [link 2] and got some feedback that "when n+2 is released, version n is EOL" and given that 2.1.x is the current branch then 1.2.x would be EOL. It would be nice if the Cassandra project had things as nicely documented as FreeBSD's security policies are documented so I wouldn't have to ask a question like this. 2. What is a realistic timeline? I set it to 30 days based off seeing www/squid marked as such a while back before it was determined www/squid would be the only version maintained in ports and it was updated to 3.4. [1] http://www.mail-archive.com/user@cassandra.apache.org/msg41819.html [2] http://www.mail-archive.com/user@cassandra.apache.org/msg42560.html
I dont think that JMX security is major problem because normal cassandra is run in cluster with no auth set even for data access. Just short after install message about securing JMX would be good enough.
Radim, For now, everybody is going to get the regular noticed from pkg audit on the vulnerability. Adding it to the pkg-message until removal makes sense. As maintainer, what do you feel is a sane timeline for deprecating it and eventual removal from the ports tree?
A commit references this bug: Author: junovitch Date: Sun Dec 27 14:32:56 UTC 2015 New revision: 404570 URL: https://svnweb.freebsd.org/changeset/ports/404570 Log: databases/cassandra: Set DEPRECATED 1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade to a supported version of Cassandra Reference: http://www.mail-archive.com/user@cassandra.apache.org/msg41819.html http://www.mail-archive.com/user@cassandra.apache.org/msg42560.html PR: 199091 Approved by: maintainer timeout Changes: head/databases/cassandra/Makefile
Set as DEPRECATED before we branch 2016Q1 as upstream hasn't supported 1.2.x since last year and set the deprecation to just before 2016Q2. The underlying issue will not be fixed upstream so this just follows their EOL.