Date: Sunday, December 12, 2021 @ 16:08:33 Author: mtorromeo Revision: 1069148
patched to update log4j to version not vulnerable to CVE-2021-44228 Added: logstash/trunk/log4j.patch Modified: logstash/trunk/PKGBUILD -------------+ PKGBUILD | 14 +++++++++----- log4j.patch | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 5 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-12-12 15:43:37 UTC (rev 1069147) +++ PKGBUILD 2021-12-12 16:08:33 UTC (rev 1069148) @@ -2,7 +2,7 @@ # Maintainer: Massimiliano Torromeo <[email protected]> pkgname=logstash -pkgver=7.10.1 +pkgver=7.10.2 _jrubyver=9.2.13.0 pkgrel=1 pkgdesc='Tool for managing events and logs' @@ -10,7 +10,7 @@ arch=('x86_64') license=('Apache') depends=('java-runtime-headless>=8' 'ruby' 'ruby-bundler' 'coreutils' 'awk') -makedepends=('java-environment<=14' 'git') +makedepends=('jdk11-openjdk' 'git') backup=('etc/conf.d/logstash' 'etc/logstash/jvm.options' 'etc/logstash/log4j2.properties' @@ -20,6 +20,7 @@ source=(https://github.com/elastic/logstash/archive/v${pkgver}/${pkgname}-${pkgver}.tar.gz https://repo1.maven.org/maven2/org/jruby/jruby-dist/${_jrubyver}/${_jrubydist} build.patch + log4j.patch logstash.service [email protected] logstash-sysuser.conf @@ -26,17 +27,19 @@ logstash-tmpfile.conf bundle.config) noextract=(${_jrubydist}) -sha256sums=('9f4732d3c324d27ed348060eccf38840ec74f6baf155ef5f7347346b714a1c58' +sha256sums=('52288699c9e14453e8655ac940c1d0ee51c8956f4b6356502b67c62abf228429' '73a8c241a162e644c87e864c3485c55adedeb82a6fd80fa3cb538fdacda7af58' '9ae56b463b465f16363f60670c7da4e84a9bf03c17324c4364c089d7a480cb4b' + '5e52cf3a4372c77dfcb1c5f48160f7a6da5d2f5fc9c84b22b63f91bef85c01dd' '2b8b29297202334c784fdd7f2eb8d7e776c24c783b3c9f8387b500ab0039335c' 'a01ea29d4f53d785f6eb926ebfe445e64ed5b3dab5d0418848589dd79502d876' '18a68a59ddb0ce19778e83b65e68dd568d65b7180bf45b4cf298fb332d69eb26' '346b630484f8a35b1a549e94e53e3e151527852a29c72cc6e529221215a7f533' 'fe05315345e4489458c3eecac43726800109c1e390e74a14584096f6c041fee1') -sha512sums=('346c707fd60b82b414759b0f78d2e3c603e8341ae652940d37a0bc263ac313352033e8cfeb6727aa7275b2f5393d9aeb129fee0120d3b475059071ead329e1fa' +sha512sums=('0163dc6d0a4efda4b1e075e63145029931df73dc7633c2601b45cebe10978bcf6972fa46341aa1c12ce949ed193e80d6d33937b791c5c75ff9fd155cf6c7ace2' '2cba016ad6a376252083122d51335610209d860c41de1902f5cd49ffc2f6b49c350b68df8fc4113c221255af4db7ec07980267b9888369811faf66db369e757c' 'f6ddf9cc70a2c0cabaacf39fa26953c15af0060711713b2de69caddd2b8f845edde535f002cd7a0d0f8fc01abf934d887278fb6617b2a3d640284bc16ea34927' + 'fb166705f9e26e47c9b9219fcd814fef5cd602ad936600973132ad2c869a4091d727d5a76c2322ce5c871ac550478df0d502b2291fd54f04b9a32059ab6ea5b6' '817097565519dc7c5eac7521339947c74c6148683ca594356dd2ceb3274a1e94f8e7318ce310e0fe5789d7ab0d4c23404f814bef31036a11ddfec08d16814c69' 'ce2cef4a784845b00d7c867273555811450bc459669abb5be944bfbbb02708129983e45376a9b308d6db22b2c7b4a7a212827a4826f2a27bc7e143cebc9abfe0' 'd811dc3b18d0032b79b4669c9f6aefca49963897c309d83cbf87616c7b8cb5944c17c8072980bcd115d0fb57ef1624d98259ff1082d402d308c33e766ee89699' @@ -54,6 +57,7 @@ sed 's|-XX:+UseParNewGC||g' -i config/jvm.options # patch -p1 -i "$srcdir"/build.patch + patch -p1 -i "$srcdir"/log4j.patch # Use system gradle (currently not working) # sed 's;./gradlew;gradle;g' -i rakelib/*.rake @@ -68,7 +72,7 @@ build() { cd ${pkgname}-${pkgver} - export PATH="/usr/lib/jvm/java-10-openjdk/bin:$PWD/vendor/jruby/bin:$PATH" + export PATH="/usr/lib/jvm/java-11-openjdk/bin:$PWD/vendor/jruby/bin:$PATH" # gradle -x :logstash-core:javadoc bootstrap (system gradle currently not working) RELEASE=1 OSS=1 ./gradlew -x :logstash-core:javadoc installDefaultGems Added: log4j.patch =================================================================== --- log4j.patch (rev 0) +++ log4j.patch 2021-12-12 16:08:33 UTC (rev 1069148) @@ -0,0 +1,40 @@ +diff --git a/logstash-core/build.gradle b/logstash-core/build.gradle +index 5c837b2..703538e 100644 +--- a/logstash-core/build.gradle ++++ b/logstash-core/build.gradle +@@ -30,6 +30,8 @@ String jrubyVersion = versionMap['jruby']['version'] + String jacksonVersion = versionMap['jackson'] + String jacksonDatabindVersion = versionMap['jackson-databind'] + ++String log4jVersion = '2.15.0' ++ + repositories { + mavenCentral() + } +@@ -153,12 +155,12 @@ def customJRubyDir = project.hasProperty("custom.jruby.path") ? project.property + def customJRubyVersion = customJRubyDir == "" ? "" : Files.readAllLines(Paths.get(customJRubyDir, "VERSION")).get(0).trim() + + dependencies { +- implementation 'org.apache.logging.log4j:log4j-api:2.13.3' +- annotationProcessor 'org.apache.logging.log4j:log4j-core:2.13.3' +- api 'org.apache.logging.log4j:log4j-core:2.13.3' +- runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.13.3' ++ implementation "org.apache.logging.log4j:log4j-api:${log4jVersion}" ++ annotationProcessor "org.apache.logging.log4j:log4j-core:${log4jVersion}" ++ api "org.apache.logging.log4j:log4j-core:${log4jVersion}" ++ runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${log4jVersion}" + // concerns libraries such as manticore's http-client 4.5 (using commons-logging) +- runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.13.3' ++ runtimeOnly "org.apache.logging.log4j:log4j-jcl:${log4jVersion}" + // for the log4j-jcl bridge to work commons-logging needs to be on the same class-path + runtimeOnly 'commons-logging:commons-logging:1.2' + implementation('org.reflections:reflections:0.9.11') { +@@ -184,7 +186,7 @@ dependencies { + exclude group: 'com.google.guava', module: 'guava' + } + implementation 'org.javassist:javassist:3.26.0-GA' +- testImplementation 'org.apache.logging.log4j:log4j-core:2.13.3:tests' ++ testImplementation "org.apache.logging.log4j:log4j-core:${log4jVersion}:tests" + testImplementation 'junit:junit:4.12' + testImplementation 'net.javacrumbs.json-unit:json-unit:2.3.0' + testImplementation 'org.elasticsearch:securemock:1.2'
