[-- Attachment #1: Type: text/plain, Size: 688 bytes --] New issue by leahneukirchen on void-packages repository https://github.com/void-linux/void-packages/issues/34534 Description: These packages contain old, vulnerable versions of log4j. - [ ] apache-jmeter-5.3_1 /usr/libexec/apache-jmeter/lib/log4j-core-2.13.1.jar - [ ] apache-storm-2.2.0_3 /usr/lib/apache-storm/external/storm-autocreds/log4j-core-2.11.2.jar - [ ] arduino-1.8.13_1 /usr/lib/arduino/lib/log4j-core-2.12.0.jar - [ ] elasticsearch-5.1.2_2 /usr/share/elasticsearch/lib/log4j-core-2.7.jar - [ ] sbt-1.3.10_2 /usr/share/sbt/lib/local-preloaded/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar cc @knusbaum @bougyman @Gottox @igorsantana @Trojan295
[-- Attachment #1: Type: text/plain, Size: 235 bytes --] New comment by leahneukirchen on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-993928115 Comment: cc @fosslinux @q66 @Piraty @nonchip @mobinmob (recent contributors to these packages)
[-- Attachment #1: Type: text/plain, Size: 195 bytes --] New comment by hiljusti on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1007276248 Comment: Got sbt building, but not familiar with any others
[-- Attachment #1: Type: text/plain, Size: 203 bytes --] New comment by hiljusti on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1007276248 Comment: Got sbt package building, but not familiar with any others
[-- Attachment #1: Type: text/plain, Size: 270 bytes --] New comment by knusbaum on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1015714291 Comment: apache-storm hasn't published new packages and replacing log4j and building it is non-trivial. apache-jmeter I will look at.
[-- Attachment #1: Type: text/plain, Size: 214 bytes --] New comment by knusbaum on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1015796312 Comment: apache-jmeter: https://github.com/void-linux/void-packages/pull/35114
[-- Attachment #1: Type: text/plain, Size: 355 bytes --] New comment by classabbyamp on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1169423970 Comment: davmail: https://github.com/mguessan/davmail/issues/187 - fixed on trunk but not released zookeeper: [jira issue](https://issues.apache.org/jira/browse/ZOOKEEPER-4427) - fixed in 3.8.0 by moving to logback
[-- Attachment #1: Type: text/plain, Size: 398 bytes --] New comment by classabbyamp on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1169423970 Comment: davmail: https://github.com/mguessan/davmail/issues/187 - fixed on trunk but not released (doesn't mention what changeset fixes it?) zookeeper: [jira issue](https://issues.apache.org/jira/browse/ZOOKEEPER-4427) - fixed in 3.8.0 by moving to logback
[-- Attachment #1: Type: text/plain, Size: 293 bytes --] New comment by github-actions[bot] on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1258874006 Comment: Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it.
[-- Attachment #1: Type: text/plain, Size: 168 bytes --] New comment by Piraty on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260094858 Comment: ping @Anachron (davmail)
[-- Attachment #1: Type: text/plain, Size: 216 bytes --] New comment by Anachron on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260570442 Comment: Thanks for the ping, @Piraty, I'm currently building `davmail-6.0.1_1`.
[-- Attachment #1: Type: text/plain, Size: 324 bytes --] New comment by Anachron on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260570442 Comment: Thanks for the ping, @Piraty, I'm currently building `davmail-6.0.1_1`. Edit: Looks like `davmail` is not affected: https://sourceforge.net/p/davmail/support-requests/400/#a580
[-- Attachment #1: Type: text/plain, Size: 324 bytes --] New comment by Anachron on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1260570442 Comment: Thanks for the ping, @Piraty, I'm currently building `davmail-6.0.1_1`. Edit: `davmail` is not affected by `log4j`: https://sourceforge.net/p/davmail/support-requests/400/#a580
[-- Attachment #1: Type: text/plain, Size: 186 bytes --] New comment by classabbyamp on void-packages repository https://github.com/void-linux/void-packages/issues/34534#issuecomment-1269544069 Comment: with #39737 I think that's everything
[-- Attachment #1: Type: text/plain, Size: 866 bytes --] Closed issue by leahneukirchen on void-packages repository https://github.com/void-linux/void-packages/issues/34534 Description: These packages contain old, vulnerable versions of log4j. - [x] apache-jmeter-5.3_1 /usr/libexec/apache-jmeter/lib/log4j-core-2.13.1.jar - [x] apache-storm-2.2.0_3 /usr/lib/apache-storm/external/storm-autocreds/log4j-core-2.11.2.jar - [x] arduino-1.8.13_1 /usr/lib/arduino/lib/log4j-core-2.12.0.jar - [x] elasticsearch-5.1.2_2 /usr/share/elasticsearch/lib/log4j-core-2.7.jar - [x] sbt-1.3.10_2 /usr/share/sbt/lib/local-preloaded/org/apache/logging/log4j/log4j-core/2.11.2/log4j-core-2.11.2.jar Also Log4j 1.2 is EOL and full of CVE: - [x] davmail-5.5.1_2 /usr/share/davmail/lib/log4j-1.2.16.jar - [x] zookeeper-3.4.13_2 /usr/share/zookeeper/lib/log4j-1.2.17.jar cc @knusbaum @bougyman @Gottox @igorsantana @Trojan295