You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@roller.apache.org by Michael Bien <mb...@gmail.com> on 2021/12/11 21:19:41 UTC

heads up when running roller from master branch

Hello Everyone,

Just a heads up in case you are building and running apache roller from 
master, please rebuild your instance with the latest changes.

It contains an important dependency update 
(https://github.com/apache/roller/pull/106) for log4j 2 which suffered 
from a RCE security vulnerability, which was fixed in the latest version.

Apache Roller 6.0.2 (latest release) should not be affected by this 
particular vulnerability since it still uses the old log4j 1 library.

best regards,

michael

Re: heads up when running roller from master branch

Posted by Michael Bien <mb...@gmail.com>.

yeah roller itself did log with log4j 1, however it did pull log4j 2 too 
due to the fact that struts was/is using it i just noticed.

So I retract my statement that roller 6.0.2 should not be affected by 
this - the attack surface is just smaller.

i unified everything to slf4j and mapped it to log4j 2 as impl some time 
ago but this is not in 6.0.2:
https://github.com/apache/roller/pull/68

HEAD on master is using slf4j -> log4j 2.15.0 which contains the fix as 
previously mentioned

(i personally use a slf4j -> JFR bridge for my own blog.
https://github.com/mbien/JFRLog )

regards,
michael


On 11.12.21 23:05, Dave wrote:
> Nice! I did not remember that 6.0.2 still used Log4j 1.
>
> On Sat, Dec 11, 2021 at 4:20 PM Michael Bien <mb...@gmail.com> wrote:
>
>> Hello Everyone,
>>
>> Just a heads up in case you are building and running apache roller from
>> master, please rebuild your instance with the latest changes.
>>
>> It contains an important dependency update
>> (https://github.com/apache/roller/pull/106) for log4j 2 which suffered
>> from a RCE security vulnerability, which was fixed in the latest version.
>>
>> Apache Roller 6.0.2 (latest release) should not be affected by this
>> particular vulnerability since it still uses the old log4j 1 library.
>>
>> best regards,
>>
>> michael
>>
>>

Re: heads up when running roller from master branch

Posted by Dave <sn...@gmail.com>.

Nice! I did not remember that 6.0.2 still used Log4j 1.

On Sat, Dec 11, 2021 at 4:20 PM Michael Bien <mb...@gmail.com> wrote:

> Hello Everyone,
>
> Just a heads up in case you are building and running apache roller from
> master, please rebuild your instance with the latest changes.
>
> It contains an important dependency update
> (https://github.com/apache/roller/pull/106) for log4j 2 which suffered
> from a RCE security vulnerability, which was fixed in the latest version.
>
> Apache Roller 6.0.2 (latest release) should not be affected by this
> particular vulnerability since it still uses the old log4j 1 library.
>
> best regards,
>
> michael
>
>