You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/12/29 08:05:41 UTC
[ofbiz-framework] branch trunk updated: Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new a744965 Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
a744965 is described below
commit a7449655678460ecd84ce6c04f7cc90bb55d1ea5
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Wed Dec 29 08:51:55 2021 +0100
Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
See complete explanation at https://issues.apache.org/jira/browse/OFBIZ-12475
---
build.gradle | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/build.gradle b/build.gradle
index 99206c3..0dc7486 100644
--- a/build.gradle
+++ b/build.gradle
@@ -217,8 +217,8 @@ dependencies {
implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
- implementation 'org.apache.logging.log4j:log4j-api:2.17.0' // the API of log4j 2
- implementation 'org.apache.logging.log4j:log4j-core:2.17.0' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
+ implementation 'org.apache.logging.log4j:log4j-api:2.17.1' // the API of log4j 2
+ implementation 'org.apache.logging.log4j:log4j-core:2.17.1' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
implementation 'org.apache.poi:poi:4.1.2' // poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server
implementation 'org.apache.pdfbox:pdfbox:2.0.24'
implementation 'org.apache.shiro:shiro-core:1.8.0'
@@ -256,11 +256,11 @@ dependencies {
runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9' // Above: SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does not exist
runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did not update from 10.14.2.0 because of a compile issue. You may try w/ a newer version than 10.15.1.3
runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
- runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for external jars using the old log4j1.2: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.0' // for external jars using the java.util.logging: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' // for external jars using slf4j: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.0' //???
- runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
+ runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.1' // for external jars using the old log4j1.2: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.1' // for external jars using the java.util.logging: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1' // for external jars using slf4j: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.1' //???
+ runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.1' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
runtimeOnly 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
// Dependencies defined by the plugins
Re: [ofbiz-framework] branch trunk updated: Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
Posted by Pierre Smits <pi...@apache.org>.
Hi Jacques,
Re: OFBiz R22, I would like to see PR355 implemented.
Met vriendelijke groet,
Pierre Smits
*Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory <https://directory.apache.org>, PMC Member*
On Fri, Dec 31, 2021 at 8:25 AM jleroux@apache.org <jl...@apache.org>
wrote:
> Hi Jacopo, All,
>
> Ready to release 18.12.05?
>
> Also it'd be good to ASAP freeze 22.01. Then I'll adapt BuildBot config
> and ask Infra to restart the demos. We will need to also trivially update
> README.adoc. I'll put that in the freeze part of the release plan page in
> wiki.
>
> TIA
>
> Happy holidays :)
>
> Jacques
>
> Le 29/12/2021 à 09:05, jleroux@apache.org a écrit :
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > jleroux pushed a commit to branch trunk
> > in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
> >
> >
> > The following commit(s) were added to refs/heads/trunk by this push:
> > new a744965 Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2
> (OFBIZ-12475)
> > a744965 is described below
> >
> > commit a7449655678460ecd84ce6c04f7cc90bb55d1ea5
> > Author: Jacques Le Roux <ja...@les7arts.com>
> > AuthorDate: Wed Dec 29 08:51:55 2021 +0100
> >
> > Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
> >
> > See complete explanation at
> https://issues.apache.org/jira/browse/OFBIZ-12475
> > ---
> > build.gradle | 14 +++++++-------
> > 1 file changed, 7 insertions(+), 7 deletions(-)
> >
> > diff --git a/build.gradle b/build.gradle
> > index 99206c3..0dc7486 100644
> > --- a/build.gradle
> > +++ b/build.gradle
> > @@ -217,8 +217,8 @@ dependencies {
> > implementation
> 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
> > implementation
> 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
> > implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
> > - implementation 'org.apache.logging.log4j:log4j-api:2.17.0' // the
> API of log4j 2
> > - implementation 'org.apache.logging.log4j:log4j-core:2.17.0' //
> Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
> > + implementation 'org.apache.logging.log4j:log4j-api:2.17.1' // the
> API of log4j 2
> > + implementation 'org.apache.logging.log4j:log4j-core:2.17.1' //
> Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
> > implementation 'org.apache.poi:poi:4.1.2' //
> poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server
> > implementation 'org.apache.pdfbox:pdfbox:2.0.24'
> > implementation 'org.apache.shiro:shiro-core:1.8.0'
> > @@ -256,11 +256,11 @@ dependencies {
> > runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9' //
> Above: SOAPEventHandler.java:42: error: package
> org.apache.axiom.om.impl.builder does not exist
> > runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did
> not update from 10.14.2.0 because of a compile issue. You may try w/ a
> newer version than 10.15.1.3
> > runtimeOnly
> 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
> > - runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for
> external jars using the old log4j1.2: routes logging to log4j 2
> > - runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.0' // for
> external jars using the java.util.logging: routes logging to log4j 2
> > - runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' //
> for external jars using slf4j: routes logging to log4j 2
> > - runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.0' //???
> > - runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to
> constrain to version to avoid classpath conflict (ReflectionUtil)
> > + runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.1' // for
> external jars using the old log4j1.2: routes logging to log4j 2
> > + runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.1' // for
> external jars using the java.util.logging: routes logging to log4j 2
> > + runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1' //
> for external jars using slf4j: routes logging to log4j 2
> > + runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.1' //???
> > + runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.1' // need to
> constrain to version to avoid classpath conflict (ReflectionUtil)
> > runtimeOnly
> 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
> >
> > // Dependencies defined by the plugins
>
Re: [ofbiz-framework] branch trunk updated: Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
Posted by "jleroux@apache.org" <jl...@apache.org>.
Hi Jacopo, All,
Ready to release 18.12.05?
Also it'd be good to ASAP freeze 22.01. Then I'll adapt BuildBot config and ask Infra to restart the demos. We will need to also trivially update
README.adoc. I'll put that in the freeze part of the release plan page in wiki.
TIA
Happy holidays :)
Jacques
Le 29/12/2021 à 09:05, jleroux@apache.org a écrit :
> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch trunk
> in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
>
>
> The following commit(s) were added to refs/heads/trunk by this push:
> new a744965 Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
> a744965 is described below
>
> commit a7449655678460ecd84ce6c04f7cc90bb55d1ea5
> Author: Jacques Le Roux <ja...@les7arts.com>
> AuthorDate: Wed Dec 29 08:51:55 2021 +0100
>
> Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
>
> See complete explanation at https://issues.apache.org/jira/browse/OFBIZ-12475
> ---
> build.gradle | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/build.gradle b/build.gradle
> index 99206c3..0dc7486 100644
> --- a/build.gradle
> +++ b/build.gradle
> @@ -217,8 +217,8 @@ dependencies {
> implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
> implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
> implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
> - implementation 'org.apache.logging.log4j:log4j-api:2.17.0' // the API of log4j 2
> - implementation 'org.apache.logging.log4j:log4j-core:2.17.0' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
> + implementation 'org.apache.logging.log4j:log4j-api:2.17.1' // the API of log4j 2
> + implementation 'org.apache.logging.log4j:log4j-core:2.17.1' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
> implementation 'org.apache.poi:poi:4.1.2' // poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server
> implementation 'org.apache.pdfbox:pdfbox:2.0.24'
> implementation 'org.apache.shiro:shiro-core:1.8.0'
> @@ -256,11 +256,11 @@ dependencies {
> runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9' // Above: SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does not exist
> runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did not update from 10.14.2.0 because of a compile issue. You may try w/ a newer version than 10.15.1.3
> runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
> - runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for external jars using the old log4j1.2: routes logging to log4j 2
> - runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.0' // for external jars using the java.util.logging: routes logging to log4j 2
> - runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' // for external jars using slf4j: routes logging to log4j 2
> - runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.0' //???
> - runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
> + runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.1' // for external jars using the old log4j1.2: routes logging to log4j 2
> + runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.1' // for external jars using the java.util.logging: routes logging to log4j 2
> + runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1' // for external jars using slf4j: routes logging to log4j 2
> + runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.1' //???
> + runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.1' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
> runtimeOnly 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
>
> // Dependencies defined by the plugins