You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by md...@apache.org on 2021/12/10 22:12:27 UTC

[lucene-solr] branch branch_8_11 updated: SOLR-15843 Update Log4J to 2.15 (#2627)

This is an automated email from the ASF dual-hosted git repository.

mdrob pushed a commit to branch branch_8_11
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/branch_8_11 by this push:
     new e00c509  SOLR-15843 Update Log4J to 2.15 (#2627)
e00c509 is described below

commit e00c509119cb3308b7ec0c06734ae593ef0e74cc
Author: Mike Drob <md...@apache.org>
AuthorDate: Fri Dec 10 16:10:21 2021 -0600

    SOLR-15843 Update Log4J to 2.15 (#2627)
---
 lucene/ivy-versions.properties                           | 2 +-
 lucene/licenses/log4j-api-2.14.1.jar.sha1                | 1 -
 lucene/licenses/log4j-api-2.15.0.jar.sha1                | 1 +
 lucene/licenses/log4j-core-2.14.1.jar.sha1               | 1 -
 lucene/licenses/log4j-core-2.15.0.jar.sha1               | 1 +
 solr/CHANGES.txt                                         | 2 ++
 solr/bin/solr.in.cmd                                     | 6 +++++-
 solr/bin/solr.in.sh                                      | 4 ++++
 solr/licenses/log4j-1.2-api-2.14.1.jar.sha1              | 1 -
 solr/licenses/log4j-1.2-api-2.15.0.jar.sha1              | 1 +
 solr/licenses/log4j-api-2.14.1.jar.sha1                  | 1 -
 solr/licenses/log4j-api-2.15.0.jar.sha1                  | 1 +
 solr/licenses/log4j-core-2.14.1.jar.sha1                 | 1 -
 solr/licenses/log4j-core-2.15.0.jar.sha1                 | 1 +
 solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 | 1 -
 solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 | 1 +
 solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1           | 1 -
 solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1           | 1 +
 solr/licenses/log4j-web-2.14.1.jar.sha1                  | 1 -
 solr/licenses/log4j-web-2.15.0.jar.sha1                  | 1 +
 20 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/lucene/ivy-versions.properties b/lucene/ivy-versions.properties
index 32f2c1b..ab82337 100644
--- a/lucene/ivy-versions.properties
+++ b/lucene/ivy-versions.properties
@@ -234,7 +234,7 @@ org.apache.kerby.version = 1.0.1
 /org.apache.kerby/kerby-pkix = ${org.apache.kerby.version}
 /org.apache.kerby/kerby-util = ${org.apache.kerby.version}
 
-org.apache.logging.log4j.version = 2.14.1
+org.apache.logging.log4j.version = 2.15.0
 /org.apache.logging.log4j/log4j-1.2-api = ${org.apache.logging.log4j.version}
 /org.apache.logging.log4j/log4j-api = ${org.apache.logging.log4j.version}
 /org.apache.logging.log4j/log4j-core = ${org.apache.logging.log4j.version}
diff --git a/lucene/licenses/log4j-api-2.14.1.jar.sha1 b/lucene/licenses/log4j-api-2.14.1.jar.sha1
deleted file mode 100644
index 650ed8c..0000000
--- a/lucene/licenses/log4j-api-2.14.1.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-cd8858fbbde69f46bce8db1152c18a43328aae78
diff --git a/lucene/licenses/log4j-api-2.15.0.jar.sha1 b/lucene/licenses/log4j-api-2.15.0.jar.sha1
new file mode 100644
index 0000000..460ceee
--- /dev/null
+++ b/lucene/licenses/log4j-api-2.15.0.jar.sha1
@@ -0,0 +1 @@
+4a5aa7e55a29391c6f66e0b259d5189aa11e45d0
diff --git a/lucene/licenses/log4j-core-2.14.1.jar.sha1 b/lucene/licenses/log4j-core-2.14.1.jar.sha1
deleted file mode 100644
index 692beb9..0000000
--- a/lucene/licenses/log4j-core-2.14.1.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-9141212b8507ab50a45525b545b39d224614528b
diff --git a/lucene/licenses/log4j-core-2.15.0.jar.sha1 b/lucene/licenses/log4j-core-2.15.0.jar.sha1
new file mode 100644
index 0000000..7ed9852
--- /dev/null
+++ b/lucene/licenses/log4j-core-2.15.0.jar.sha1
@@ -0,0 +1 @@
+ba55c13d7ac2fd44df9cc8074455719a33f375b9
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index af5410e..748287d 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -43,6 +43,8 @@ Bug Fixes
 
 * SOLR-8319: Fix NPE in pivot facets, add non-Analyzed query method in FieldType. (Houston Putman, Isabelle Giguere)
 
+* SOLR-15843: Update Log4J to 2.15 (Mike Drob)
+
 ==================  8.11.0 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index a5eee5c..c2224f1 100755
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -208,4 +208,8 @@ REM set SOLR_SECURITY_MANAGER_ENABLED=false
 REM Solr is by default allowed to read and write data from/to SOLR_HOME and a few other well defined locations
 REM Sometimes it may be necessary to place a core or a backup on a different location or a different disk
 REM This parameter lets you specify file system path(s) to explicitly allow. The special value of '*' will allow any path
-REM SOLR_OPTS="%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path"
+REM set SOLR_OPTS=%SOLR_OPTS% -Dsolr.allowPaths=D:\,E:\other\path
+
+REM Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0
+REM then enable the following setting to address CVE-2021-44228
+REM set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index 30b658e..de3a6fc 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -250,3 +250,7 @@
 # You can test this behaviour by setting SOLR_HEAP=25m
 #SOLR_HEAP_DUMP=true
 #SOLR_HEAP_DUMP_DIR=/var/log/dumps
+
+# Some previous versions of Solr use an outdated log4j dependency. If you are unable to use at least log4j version 2.15.0
+# then enable the following setting to address CVE-2021-44228
+# SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
diff --git a/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1 b/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1
deleted file mode 100644
index ef0bdbd..0000000
--- a/solr/licenses/log4j-1.2-api-2.14.1.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-6bfcc76fa1a1a41295aff0042200aaa82d9ac286
diff --git a/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1 b/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1
new file mode 100644
index 0000000..5eb0d83
--- /dev/null
+++ b/solr/licenses/log4j-1.2-api-2.15.0.jar.sha1
@@ -0,0 +1 @@
+bc960fe2acbe6f3952011f88a771de18301534e7
diff --git a/solr/licenses/log4j-api-2.14.1.jar.sha1 b/solr/licenses/log4j-api-2.14.1.jar.sha1
deleted file mode 100644
index 650ed8c..0000000
--- a/solr/licenses/log4j-api-2.14.1.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-cd8858fbbde69f46bce8db1152c18a43328aae78
diff --git a/solr/licenses/log4j-api-2.15.0.jar.sha1 b/solr/licenses/log4j-api-2.15.0.jar.sha1
new file mode 100644
index 0000000..460ceee
--- /dev/null
+++ b/solr/licenses/log4j-api-2.15.0.jar.sha1
@@ -0,0 +1 @@
+4a5aa7e55a29391c6f66e0b259d5189aa11e45d0
diff --git a/solr/licenses/log4j-core-2.14.1.jar.sha1 b/solr/licenses/log4j-core-2.14.1.jar.sha1
deleted file mode 100644
index 692beb9..0000000
--- a/solr/licenses/log4j-core-2.14.1.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-9141212b8507ab50a45525b545b39d224614528b
diff --git a/solr/licenses/log4j-core-2.15.0.jar.sha1 b/solr/licenses/log4j-core-2.15.0.jar.sha1
new file mode 100644
index 0000000..7ed9852
--- /dev/null
+++ b/solr/licenses/log4j-core-2.15.0.jar.sha1
@@ -0,0 +1 @@
+ba55c13d7ac2fd44df9cc8074455719a33f375b9
diff --git a/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1 b/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1
deleted file mode 100644
index e277e2a..0000000
--- a/solr/licenses/log4j-layout-template-json-2.14.1.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-40f93aa5aa26435353d52469ed7b6cebb1126240
diff --git a/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1 b/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1
new file mode 100644
index 0000000..49d1720
--- /dev/null
+++ b/solr/licenses/log4j-layout-template-json-2.15.0.jar.sha1
@@ -0,0 +1 @@
+295580f2a67d6af4e276dd415dc3d78cf0167208
diff --git a/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1 b/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1
deleted file mode 100644
index 4731cdb..0000000
--- a/solr/licenses/log4j-slf4j-impl-2.14.1.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-9a40554b8dab7ac9606089c87ae8a5ba914ec932
diff --git a/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1 b/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1
new file mode 100644
index 0000000..d967b11
--- /dev/null
+++ b/solr/licenses/log4j-slf4j-impl-2.15.0.jar.sha1
@@ -0,0 +1 @@
+8bb417869ab3baa19f2fc70e6d776d041f0a8ebc
diff --git a/solr/licenses/log4j-web-2.14.1.jar.sha1 b/solr/licenses/log4j-web-2.14.1.jar.sha1
deleted file mode 100644
index a0aedbf..0000000
--- a/solr/licenses/log4j-web-2.14.1.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-cab83afbb8f2efdc730035b86d6f7b170c3cc2e7
diff --git a/solr/licenses/log4j-web-2.15.0.jar.sha1 b/solr/licenses/log4j-web-2.15.0.jar.sha1
new file mode 100644
index 0000000..83513b1
--- /dev/null
+++ b/solr/licenses/log4j-web-2.15.0.jar.sha1
@@ -0,0 +1 @@
+0e2b1512cb85e38326844bdb707b6673e0e70eeb