There is a 2.16.0 release of log4j2.
Changes:
https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0
It removes the vulnerable functionality of message formatting and
defaults JNDI to disabled (for configuration files, not logging messages).
It is not a second security update.
https://logging.apache.org/log4j/2.x/security.html
Andy
On 13/12/2021 17:39, Andy Seaborne wrote:
FYI:
Details of the log4j2 for 2.15.0 -- the vulnerability permanent fix is
the top of the list.
https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0
Andy
On 10/12/2021 15:17, Andy Seaborne wrote:
More info in the users@ message of the dependency security issue.
https://lists.apache.org/thread/nc3gz7yvokc9ktkzs8078jr5t04nfmdy
The log4j2 issue affects Fuseki and command line tools.
With any recent java, remote code execution is disabled by default.
We'll produce a 4.3.1 with an updated log4j2, and the ongoing
improvements for xloader.
XLoader test run:
1B triples , 40kTPS , 06h 54m 10s
The database is 81G and building needs an addition 11.6G for workspace
for a total of 92G (+ the data which was the first 1 billion triple of
Wikidata truthy - 8.2 G nt.gz file).
Andy
