You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Michael Bien <mb...@gmail.com> on 2021/12/11 21:19:41 UTC
heads up when running roller from master branch
Hello Everyone,
Just a heads up in case you are building and running apache roller from
master, please rebuild your instance with the latest changes.
It contains an important dependency update
(https://github.com/apache/roller/pull/106) for log4j 2 which suffered
from a RCE security vulnerability, which was fixed in the latest version.
Apache Roller 6.0.2 (latest release) should not be affected by this
particular vulnerability since it still uses the old log4j 1 library.
best regards,
michael
Re: heads up when running roller from master branch
Posted by Michael Bien <mb...@gmail.com>.
yeah roller itself did log with log4j 1, however it did pull log4j 2 too
due to the fact that struts was/is using it i just noticed.
So I retract my statement that roller 6.0.2 should not be affected by
this - the attack surface is just smaller.
i unified everything to slf4j and mapped it to log4j 2 as impl some time
ago but this is not in 6.0.2:
https://github.com/apache/roller/pull/68
HEAD on master is using slf4j -> log4j 2.15.0 which contains the fix as
previously mentioned
(i personally use a slf4j -> JFR bridge for my own blog.
https://github.com/mbien/JFRLog )
regards,
michael
On 11.12.21 23:05, Dave wrote:
> Nice! I did not remember that 6.0.2 still used Log4j 1.
>
> On Sat, Dec 11, 2021 at 4:20 PM Michael Bien <mb...@gmail.com> wrote:
>
>> Hello Everyone,
>>
>> Just a heads up in case you are building and running apache roller from
>> master, please rebuild your instance with the latest changes.
>>
>> It contains an important dependency update
>> (https://github.com/apache/roller/pull/106) for log4j 2 which suffered
>> from a RCE security vulnerability, which was fixed in the latest version.
>>
>> Apache Roller 6.0.2 (latest release) should not be affected by this
>> particular vulnerability since it still uses the old log4j 1 library.
>>
>> best regards,
>>
>> michael
>>
>>
Re: heads up when running roller from master branch
Posted by Dave <sn...@gmail.com>.
Nice! I did not remember that 6.0.2 still used Log4j 1.
On Sat, Dec 11, 2021 at 4:20 PM Michael Bien <mb...@gmail.com> wrote:
> Hello Everyone,
>
> Just a heads up in case you are building and running apache roller from
> master, please rebuild your instance with the latest changes.
>
> It contains an important dependency update
> (https://github.com/apache/roller/pull/106) for log4j 2 which suffered
> from a RCE security vulnerability, which was fixed in the latest version.
>
> Apache Roller 6.0.2 (latest release) should not be affected by this
> particular vulnerability since it still uses the old log4j 1 library.
>
> best regards,
>
> michael
>
>