Bug 200414 - [databases/cassandra2][security] CVE-2015-0225
Summary: [databases/cassandra2][security] CVE-2015-0225
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: admins
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-23 15:00 UTC by Jason Unovitch
Modified: 2017-11-12 16:00 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (admins)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer freebsd_triage 2015-05-23 15:00:29 UTC 
databases/cassandra2 is vulnerable to CVE-2015-0225 -- remote execution of arbitrary code.  The security/vuxml patch is pending in https://bugs.freebsd.org/199091.  Open PR against Cassandra 2 to generate notice for maintainer to update to new version.

Jason
Comment 1 Xin LI freebsd_committer freebsd_triage 2015-05-24 07:32:50 UTC 
Over to maintainer.
Comment 2 admins 2015-06-01 17:30:21 UTC 
See bug #200373, comment #2
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2015-06-02 00:45:49 UTC 
(In reply to admins from comment #2)

So potentially mark BROKEN pending feedback on the various other open PRs for Cassandra 2.  Does Cassandra 2.1.5 fix any of this issues?  I notice the port is a couple versions back from what's readily available.  Are you able to update it?  Do you need help?
Comment 4 admins 2015-06-02 15:04:34 UTC 
Will try to update and let you know.
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2015-07-05 15:27:20 UTC 
(In reply to admins from comment #4)

There have been two upstream releases since the last update to this PR so I downloaded the various recent tarballs from the Cassandra page and just executed them outside of ports with a simple bin/cassandra.  Here is what I found.

OpenJDK6 / apache-cassandra-2.0.16
 - Cassandra 2.0 and later require Java 7 or later.
OpenJDK6 / apache-cassandra-2.1.7
 - Cassandra 2.0 and later require Java 7u25 or later.
OpenJDK6 / apache-cassandra-2.2.0-rc1
 - Cassandra 2.0 and later require Java 7u25 or later.
OpenJDK7 / apache-cassandra-2.0.16
 - starts           
OpenJDK7 / apache-cassandra-2.1.7
 - SIGSEGV with [libjvm.so+0x8644f0]  JVM_handle_bsd_signal+0x1141b0
OpenJDK7 / apache-cassandra-2.2.0-rc1
 - SIGSEGV with [libjvm.so+0x8644f0]  JVM_handle_bsd_signal+0x1141b0
OpenJDK8 / apache-cassandra-2.0.16
 - starts
OpenJDK8 / apache-cassandra-2.1.7
 - SIGSEGV with [libjvm.so+0x8ca07d]  JVM_handle_bsd_signal+0x120b1d
OpenJDK8 / apache-cassandra-2.2.0-rc1
 - SIGSEGV with [libjvm.so+0x8ca07d]  JVM_handle_bsd_signal+0x120b1d

How do we want to handle this?  The impression I am getting from bug 200373 comment 2 with the upstream link you mentioned to https://issues.apache.org/jira/browse/CASSANDRA-8325 is that there is no forward movement on getting this fixed.  I can think of two options.

1. Bump PORTEPOCH and downgrade to 2.0.16,1.  This will leave FreeBSD with a working Cassandra 2 port and resolve the security issue at the cost of being on a branch that will eventually going away.

2. Just mark it BROKEN referencing the upstream issue and remove it eventually if there is no fixed 2.x version from upstream.

Neither option is perfect, but the JIRA mentions work on Cassandra 3.0 and neither option will be a blocker to an eventual databases/cassandra3 port if someone interested enough in Cassandra is willing to put in the effort to make it work.
Comment 6 Rene Ladan freebsd_committer freebsd_triage 2017-11-12 16:00:11 UTC 
Removing this port, it expired on 2017-11-09 and this PR has not been updated since 28 months.