* [ISSUE] log4j fallout
@ 2021-12-14 19:46 leahneukirchen
2021-12-14 19:53 ` leahneukirchen
` (13 more replies)
0 siblings, 14 replies; 15+ messages in thread
From: leahneukirchen @ 2021-12-14 19:46 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 688 bytes --]
New issue by leahneukirchen on void-packages repository
https://github.com/void-linux/void-packages/issues/34534
Description:
These packages contain old, vulnerable versions of log4j.
- [ ] apache-jmeter-5.3_1 /usr/libexec/apache-jmeter/lib/log4j-core-2.13.1.jar
- [ ] apache-storm-2.2.0_3 /usr/lib/apache-storm/external/storm-autocreds/log4j-core-2.11.2.jar
- [ ] arduino-1.8.13_1 /usr/lib/arduino/lib/log4j-core-2.12.0.jar
- [ ] elasticsearch-5.1.2_2 /usr/share/elasticsearch/lib/log4j-core-2.7.jar
- [ ] sbt-1.3.10_2 /usr/share/sbt/lib/local-preloaded/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar
cc @knusbaum @bougyman @Gottox @igorsantana @Trojan295
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
@ 2021-12-14 19:53 ` leahneukirchen
2022-01-07 9:54 ` hiljusti
` (12 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: leahneukirchen @ 2021-12-14 19:53 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 235 bytes --]
New comment by leahneukirchen on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-993928115
Comment:
cc @fosslinux @q66 @Piraty @nonchip @mobinmob (recent contributors to these packages)
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
2021-12-14 19:53 ` leahneukirchen
@ 2022-01-07 9:54 ` hiljusti
2022-01-07 9:54 ` hiljusti
` (11 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: hiljusti @ 2022-01-07 9:54 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 195 bytes --]
New comment by hiljusti on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1007276248
Comment:
Got sbt building, but not familiar with any others
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
2021-12-14 19:53 ` leahneukirchen
2022-01-07 9:54 ` hiljusti
@ 2022-01-07 9:54 ` hiljusti
2022-01-18 18:43 ` knusbaum
` (10 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: hiljusti @ 2022-01-07 9:54 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 203 bytes --]
New comment by hiljusti on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1007276248
Comment:
Got sbt package building, but not familiar with any others
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (2 preceding siblings ...)
2022-01-07 9:54 ` hiljusti
@ 2022-01-18 18:43 ` knusbaum
2022-01-18 20:12 ` knusbaum
` (9 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: knusbaum @ 2022-01-18 18:43 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 270 bytes --]
New comment by knusbaum on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1015714291
Comment:
apache-storm hasn't published new packages and replacing log4j and building it is non-trivial.
apache-jmeter I will look at.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (3 preceding siblings ...)
2022-01-18 18:43 ` knusbaum
@ 2022-01-18 20:12 ` knusbaum
2022-06-29 0:55 ` classabbyamp
` (8 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: knusbaum @ 2022-01-18 20:12 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 214 bytes --]
New comment by knusbaum on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1015796312
Comment:
apache-jmeter: https://github.com/void-linux/void-packages/pull/35114
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (4 preceding siblings ...)
2022-01-18 20:12 ` knusbaum
@ 2022-06-29 0:55 ` classabbyamp
2022-06-29 0:55 ` classabbyamp
` (7 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: classabbyamp @ 2022-06-29 0:55 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 355 bytes --]
New comment by classabbyamp on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1169423970
Comment:
davmail: https://github.com/mguessan/davmail/issues/187 - fixed on trunk but not released
zookeeper: [jira issue](https://issues.apache.org/jira/browse/ZOOKEEPER-4427) - fixed in 3.8.0 by moving to logback
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (5 preceding siblings ...)
2022-06-29 0:55 ` classabbyamp
@ 2022-06-29 0:55 ` classabbyamp
2022-09-27 2:13 ` github-actions
` (6 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: classabbyamp @ 2022-06-29 0:55 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 398 bytes --]
New comment by classabbyamp on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1169423970
Comment:
davmail: https://github.com/mguessan/davmail/issues/187 - fixed on trunk but not released (doesn't mention what changeset fixes it?)
zookeeper: [jira issue](https://issues.apache.org/jira/browse/ZOOKEEPER-4427) - fixed in 3.8.0 by moving to logback
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (6 preceding siblings ...)
2022-06-29 0:55 ` classabbyamp
@ 2022-09-27 2:13 ` github-actions
2022-09-27 21:55 ` Piraty
` (5 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: github-actions @ 2022-09-27 2:13 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 293 bytes --]
New comment by github-actions[bot] on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1258874006
Comment:
Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (7 preceding siblings ...)
2022-09-27 2:13 ` github-actions
@ 2022-09-27 21:55 ` Piraty
2022-09-28 8:33 ` Anachron
` (4 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Piraty @ 2022-09-27 21:55 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 168 bytes --]
New comment by Piraty on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260094858
Comment:
ping @Anachron (davmail)
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (8 preceding siblings ...)
2022-09-27 21:55 ` Piraty
@ 2022-09-28 8:33 ` Anachron
2022-09-28 8:36 ` Anachron
` (3 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Anachron @ 2022-09-28 8:33 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 216 bytes --]
New comment by Anachron on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260570442
Comment:
Thanks for the ping, @Piraty, I'm currently building `davmail-6.0.1_1`.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (9 preceding siblings ...)
2022-09-28 8:33 ` Anachron
@ 2022-09-28 8:36 ` Anachron
2022-09-28 8:42 ` Anachron
` (2 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Anachron @ 2022-09-28 8:36 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 324 bytes --]
New comment by Anachron on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260570442
Comment:
Thanks for the ping, @Piraty, I'm currently building `davmail-6.0.1_1`.
Edit: Looks like `davmail` is not affected: https://sourceforge.net/p/davmail/support-requests/400/#a580
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (10 preceding siblings ...)
2022-09-28 8:36 ` Anachron
@ 2022-09-28 8:42 ` Anachron
2022-10-06 8:08 ` classabbyamp
2022-10-06 8:08 ` [ISSUE] [CLOSED] " classabbyamp
13 siblings, 0 replies; 15+ messages in thread
From: Anachron @ 2022-09-28 8:42 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 324 bytes --]
New comment by Anachron on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260570442
Comment:
Thanks for the ping, @Piraty, I'm currently building `davmail-6.0.1_1`.
Edit: `davmail` is not affected by `log4j`: https://sourceforge.net/p/davmail/support-requests/400/#a580
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (11 preceding siblings ...)
2022-09-28 8:42 ` Anachron
@ 2022-10-06 8:08 ` classabbyamp
2022-10-06 8:08 ` [ISSUE] [CLOSED] " classabbyamp
13 siblings, 0 replies; 15+ messages in thread
From: classabbyamp @ 2022-10-06 8:08 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 186 bytes --]
New comment by classabbyamp on void-packages repository
https://github.com/void-linux/void-packages/issues/34534#issuecomment-1269544069
Comment:
with #39737 I think that's everything
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [ISSUE] [CLOSED] log4j fallout
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
` (12 preceding siblings ...)
2022-10-06 8:08 ` classabbyamp
@ 2022-10-06 8:08 ` classabbyamp
13 siblings, 0 replies; 15+ messages in thread
From: classabbyamp @ 2022-10-06 8:08 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 866 bytes --]
Closed issue by leahneukirchen on void-packages repository
https://github.com/void-linux/void-packages/issues/34534
Description:
These packages contain old, vulnerable versions of log4j.
- [x] apache-jmeter-5.3_1 /usr/libexec/apache-jmeter/lib/log4j-core-2.13.1.jar
- [x] apache-storm-2.2.0_3 /usr/lib/apache-storm/external/storm-autocreds/log4j-core-2.11.2.jar
- [x] arduino-1.8.13_1 /usr/lib/arduino/lib/log4j-core-2.12.0.jar
- [x] elasticsearch-5.1.2_2 /usr/share/elasticsearch/lib/log4j-core-2.7.jar
- [x] sbt-1.3.10_2 /usr/share/sbt/lib/local-preloaded/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar
Also Log4j 1.2 is EOL and full of CVE:
- [x] davmail-5.5.1_2 /usr/share/davmail/lib/log4j-1.2.16.jar
- [x] zookeeper-3.4.13_2 /usr/share/zookeeper/lib/log4j-1.2.17.jar
cc @knusbaum @bougyman @Gottox @igorsantana @Trojan295
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2022-10-06 8:08 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
2021-12-14 19:53 ` leahneukirchen
2022-01-07 9:54 ` hiljusti
2022-01-07 9:54 ` hiljusti
2022-01-18 18:43 ` knusbaum
2022-01-18 20:12 ` knusbaum
2022-06-29 0:55 ` classabbyamp
2022-06-29 0:55 ` classabbyamp
2022-09-27 2:13 ` github-actions
2022-09-27 21:55 ` Piraty
2022-09-28 8:33 ` Anachron
2022-09-28 8:36 ` Anachron
2022-09-28 8:42 ` Anachron
2022-10-06 8:08 ` classabbyamp
2022-10-06 8:08 ` [ISSUE] [CLOSED] " classabbyamp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).