lewismc commented on pull request #713: URL: https://github.com/apache/nutch/pull/713#issuecomment-992870039
Thanks for pointing that out. A Log4j 1.x bug (https://bugzilla.redhat.com/show_bug.cgi?id=2031667) does also exist albeit that it is not the same as the Zero Day vulnerability (10/10) and requires explicit configuration to enable the JMSAppender. If you set TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle … 1.x is vulnerable, just attack vector is "safer" as it depends on configuration. There are other RCE exploits against 1.x. It’s end of life and a release of master branch with the upgrade to 2.15+ would be a good idea. I’m happy to perform the release unless you want to go ahead with it. Thanks +1 go this patch On Mon, Dec 13, 2021 at 12:01 Sebastian Nagel ***@***.***> wrote: > +1 shall we push a release? > > The released 1.18 still uses log4j 1.x and indexer-elastic ships only with > log4j-api - if I'm not wrong only Nutch master is affected and no released > version. But would be good to have a second look on the issue and also to > prepare for a release in the near future. > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <https://github.com/apache/nutch/pull/713#issuecomment-992836324>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAI4TF3LW3G3OYFZLL47SH3UQZGJFANCNFSM5J4WRBZA> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > > -- http://home.apache.org/~lewismc/ http://people.apache.org/keys/committer/lewismc -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@nutch.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
