Github messages for voidlinux
 help / color / mirror / Atom feed
* [ISSUE] log4j fallout
@ 2021-12-14 19:46 leahneukirchen
  2021-12-14 19:53 ` leahneukirchen
                   ` (13 more replies)
  0 siblings, 14 replies; 15+ messages in thread
From: leahneukirchen @ 2021-12-14 19:46 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 688 bytes --]

New issue by leahneukirchen on void-packages repository

https://github.com/void-linux/void-packages/issues/34534

Description:
These packages contain old, vulnerable versions of log4j.

- [ ] apache-jmeter-5.3_1	/usr/libexec/apache-jmeter/lib/log4j-core-2.13.1.jar
- [ ] apache-storm-2.2.0_3	/usr/lib/apache-storm/external/storm-autocreds/log4j-core-2.11.2.jar
- [ ] arduino-1.8.13_1	/usr/lib/arduino/lib/log4j-core-2.12.0.jar
- [ ] elasticsearch-5.1.2_2	/usr/share/elasticsearch/lib/log4j-core-2.7.jar
- [ ] sbt-1.3.10_2	/usr/share/sbt/lib/local-preloaded/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar

cc @knusbaum @bougyman @Gottox @igorsantana @Trojan295 

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
@ 2021-12-14 19:53 ` leahneukirchen
  2022-01-07  9:54 ` hiljusti
                   ` (12 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: leahneukirchen @ 2021-12-14 19:53 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 235 bytes --]

New comment by leahneukirchen on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-993928115

Comment:
cc @fosslinux @q66 @Piraty @nonchip @mobinmob (recent contributors to these packages)

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
  2021-12-14 19:53 ` leahneukirchen
@ 2022-01-07  9:54 ` hiljusti
  2022-01-07  9:54 ` hiljusti
                   ` (11 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: hiljusti @ 2022-01-07  9:54 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 195 bytes --]

New comment by hiljusti on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1007276248

Comment:
Got sbt building, but not familiar with any others

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
  2021-12-14 19:53 ` leahneukirchen
  2022-01-07  9:54 ` hiljusti
@ 2022-01-07  9:54 ` hiljusti
  2022-01-18 18:43 ` knusbaum
                   ` (10 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: hiljusti @ 2022-01-07  9:54 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 203 bytes --]

New comment by hiljusti on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1007276248

Comment:
Got sbt package building, but not familiar with any others

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (2 preceding siblings ...)
  2022-01-07  9:54 ` hiljusti
@ 2022-01-18 18:43 ` knusbaum
  2022-01-18 20:12 ` knusbaum
                   ` (9 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: knusbaum @ 2022-01-18 18:43 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 270 bytes --]

New comment by knusbaum on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1015714291

Comment:
apache-storm hasn't published new packages and replacing log4j and building it is non-trivial.
apache-jmeter I will look at.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (3 preceding siblings ...)
  2022-01-18 18:43 ` knusbaum
@ 2022-01-18 20:12 ` knusbaum
  2022-06-29  0:55 ` classabbyamp
                   ` (8 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: knusbaum @ 2022-01-18 20:12 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 214 bytes --]

New comment by knusbaum on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1015796312

Comment:
apache-jmeter: https://github.com/void-linux/void-packages/pull/35114

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (4 preceding siblings ...)
  2022-01-18 20:12 ` knusbaum
@ 2022-06-29  0:55 ` classabbyamp
  2022-06-29  0:55 ` classabbyamp
                   ` (7 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: classabbyamp @ 2022-06-29  0:55 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 355 bytes --]

New comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1169423970

Comment:
davmail: https://github.com/mguessan/davmail/issues/187 - fixed on trunk but not released
zookeeper: [jira issue](https://issues.apache.org/jira/browse/ZOOKEEPER-4427) - fixed in 3.8.0 by moving to logback

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (5 preceding siblings ...)
  2022-06-29  0:55 ` classabbyamp
@ 2022-06-29  0:55 ` classabbyamp
  2022-09-27  2:13 ` github-actions
                   ` (6 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: classabbyamp @ 2022-06-29  0:55 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 398 bytes --]

New comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1169423970

Comment:
davmail: https://github.com/mguessan/davmail/issues/187 - fixed on trunk but not released (doesn't mention what changeset fixes it?)
zookeeper: [jira issue](https://issues.apache.org/jira/browse/ZOOKEEPER-4427) - fixed in 3.8.0 by moving to logback

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (6 preceding siblings ...)
  2022-06-29  0:55 ` classabbyamp
@ 2022-09-27  2:13 ` github-actions
  2022-09-27 21:55 ` Piraty
                   ` (5 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: github-actions @ 2022-09-27  2:13 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1258874006

Comment:
Issues become stale 90 days after last activity and are closed 14 days after that.  If this issue is still relevant bump it or assign it.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (7 preceding siblings ...)
  2022-09-27  2:13 ` github-actions
@ 2022-09-27 21:55 ` Piraty
  2022-09-28  8:33 ` Anachron
                   ` (4 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Piraty @ 2022-09-27 21:55 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 168 bytes --]

New comment by Piraty on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260094858

Comment:
ping @Anachron (davmail) 

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (8 preceding siblings ...)
  2022-09-27 21:55 ` Piraty
@ 2022-09-28  8:33 ` Anachron
  2022-09-28  8:36 ` Anachron
                   ` (3 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Anachron @ 2022-09-28  8:33 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 216 bytes --]

New comment by Anachron on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260570442

Comment:
Thanks for the ping, @Piraty, I'm currently building `davmail-6.0.1_1`.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (9 preceding siblings ...)
  2022-09-28  8:33 ` Anachron
@ 2022-09-28  8:36 ` Anachron
  2022-09-28  8:42 ` Anachron
                   ` (2 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Anachron @ 2022-09-28  8:36 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 324 bytes --]

New comment by Anachron on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260570442

Comment:
Thanks for the ping, @Piraty, I'm currently building `davmail-6.0.1_1`.

Edit: Looks like `davmail` is not affected: https://sourceforge.net/p/davmail/support-requests/400/#a580

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (10 preceding siblings ...)
  2022-09-28  8:36 ` Anachron
@ 2022-09-28  8:42 ` Anachron
  2022-10-06  8:08 ` classabbyamp
  2022-10-06  8:08 ` [ISSUE] [CLOSED] " classabbyamp
  13 siblings, 0 replies; 15+ messages in thread
From: Anachron @ 2022-09-28  8:42 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 324 bytes --]

New comment by Anachron on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260570442

Comment:
Thanks for the ping, @Piraty, I'm currently building `davmail-6.0.1_1`.

Edit: `davmail` is not affected by `log4j`: https://sourceforge.net/p/davmail/support-requests/400/#a580

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (11 preceding siblings ...)
  2022-09-28  8:42 ` Anachron
@ 2022-10-06  8:08 ` classabbyamp
  2022-10-06  8:08 ` [ISSUE] [CLOSED] " classabbyamp
  13 siblings, 0 replies; 15+ messages in thread
From: classabbyamp @ 2022-10-06  8:08 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 186 bytes --]

New comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/issues/34534#issuecomment-1269544069

Comment:
with #39737 I think that's everything

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [ISSUE] [CLOSED] log4j fallout
  2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
                   ` (12 preceding siblings ...)
  2022-10-06  8:08 ` classabbyamp
@ 2022-10-06  8:08 ` classabbyamp
  13 siblings, 0 replies; 15+ messages in thread
From: classabbyamp @ 2022-10-06  8:08 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 866 bytes --]

Closed issue by leahneukirchen on void-packages repository

https://github.com/void-linux/void-packages/issues/34534

Description:
These packages contain old, vulnerable versions of log4j.

- [x] apache-jmeter-5.3_1	/usr/libexec/apache-jmeter/lib/log4j-core-2.13.1.jar
- [x] apache-storm-2.2.0_3	/usr/lib/apache-storm/external/storm-autocreds/log4j-core-2.11.2.jar
- [x] arduino-1.8.13_1	/usr/lib/arduino/lib/log4j-core-2.12.0.jar
- [x] elasticsearch-5.1.2_2	/usr/share/elasticsearch/lib/log4j-core-2.7.jar
- [x] sbt-1.3.10_2	/usr/share/sbt/lib/local-preloaded/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar

Also Log4j 1.2 is EOL and full of CVE:

- [x] davmail-5.5.1_2	/usr/share/davmail/lib/log4j-1.2.16.jar
- [x] zookeeper-3.4.13_2	/usr/share/zookeeper/lib/log4j-1.2.17.jar

cc @knusbaum @bougyman @Gottox @igorsantana @Trojan295 

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2022-10-06  8:08 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-14 19:46 [ISSUE] log4j fallout leahneukirchen
2021-12-14 19:53 ` leahneukirchen
2022-01-07  9:54 ` hiljusti
2022-01-07  9:54 ` hiljusti
2022-01-18 18:43 ` knusbaum
2022-01-18 20:12 ` knusbaum
2022-06-29  0:55 ` classabbyamp
2022-06-29  0:55 ` classabbyamp
2022-09-27  2:13 ` github-actions
2022-09-27 21:55 ` Piraty
2022-09-28  8:33 ` Anachron
2022-09-28  8:36 ` Anachron
2022-09-28  8:42 ` Anachron
2022-10-06  8:08 ` classabbyamp
2022-10-06  8:08 ` [ISSUE] [CLOSED] " classabbyamp

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).