I have submitted a detailed report to the security mailing list and will keep detail light here. Suffice it to say that I am proposing that the log4j development team adopt a fix that has already been made and published by Red Hat. The fix is to version 1.2.17 and I propose it is used to create version 1.2.18. I give links to the Red Hat security report and the source code for the fix.
On Sun, 15 Dec 2019 at 21:33, Kate Gray <[email protected]> wrote: > Hello, > > I'm working on LOG4PHP, but I wanted to comment on the part about the > ancient JDK. It's a situation I've had to deal with in the past (for > things like Dell Remote Access). > > If there ultimately is a decision to patch the old software, there might > be a logic in putting together a docker instance (or even a chroot > package). I've found that it can be a lot easier than keeping a VM > around. Oracle does have the old JDK 1.2 archive still up on their site, > and there's a docker base image for Centos 4, which was released back in > 2005. If the decision was made to release an update, I could likely put > together an image for whoever wanted to release the update. > > Kate > > -----Original Message----- > From: Ralph Goers <[email protected]> > Sent: December 15, 2019 3:08 PM > To: [email protected] > Cc: [email protected] > Subject: Re: Is there any chance that there will be a security fix for > log4j-v1.2.17? > > While Gary is correct that we wouldn’t want to discuss a specific security > vulnerability in public we can discuss the policy here. > > For a number of reasons I would say the answer is “No”: > It gives the impress that Log4j 1.x is not End-of-Life and that future > enhancements and bug fixes could be accepted. > We provide alternatives so that Log4j 1.x itself is not necessary. If > features are missing in Log4j 2’s log4j 1.x binding then we would consider > fixing those. > None of the current committers has probably built Log4j 1 in the last 5 > years, much less attempted to perform a release. > Log4j 1.x supported an ancient version of the JDK (1.2?). I am not even > sure if that is possible any more. The oldest version I have installed is > 1.7. I would have no idea how to validate that it was still compatible. > > Ralph > > > On Dec 15, 2019, at 7:25 AM, Gary Gregory <[email protected]> > wrote: > > > > Security issues should not be discussed in public for obvious reasons. > > Please see https://www.apache.org/security/ > > > > Gary > > > > > > On Sun, Dec 15, 2019 at 7:01 AM Andrew Marlow > > <[email protected]> > > wrote: > > > >> Hello everyone, > >> > >> I know that log4j-v1 was announced as end of life back in 2015 and > >> that all effort is on log4j2. However, I would very much like to see > >> a new version, presumably it would be called 1.2.18, which addresses > >> a security vulnerability. Is this right place to discuss this please? > >> > >> -- > >> Regards, > >> > >> Andrew Marlow > >> http://www.andrewpetermarlow.co.uk > >> > > -- Regards, Andrew Marlow http://www.andrewpetermarlow.co.uk
