Hi everybody, we might step in for the remaining days to upgrade log4j 1.x to sth. >= 2.15 , also depending on the actual rate. I'll also send a private mail.
All the best, Marc Am 13.12.21 um 08:03 schrieb Richard Duivenvoorde: > Hi Jody, > > Our 'OpenGeoGroep' in The Netherlands tries to give back around 10% of > our profit to the FOSS projects we are using. > > As Geoserver is an important corner stone for Open Geo stuff, and we > were looking for candidates at his moment: we cansponsor at least 3 > days (depending on tariff). > > I will contact you in private. > > Regards, > > Richard Duivenvoorde > > On 12/12/21 20:37, Jody Garnett wrote: >> We still have not had resources to update to log4j2 … if anyone has >> budget or 3-5 days of time we would be happy to upgrade and patch for >> this vulnerability. >> >> Seriously our version of log4j is no longer supported and some >> technical debt that could use some love :) >> >> Jody >> >> On Sun, Dec 12, 2021 at 1:15 AM Richard Duivenvoorde >> <rdmaili...@duif.net <mailto:rdmaili...@duif.net>> wrote: >> >> Hi Devs, >> >> In our national IT security group (and national news) there is an >> item about an issue with log4j2, pointing to: >> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 >> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228> >> or >> https://logging.apache.org/log4j/2.x/security.html >> <https://logging.apache.org/log4j/2.x/security.html> >> >> As I deployed some Geoservers at some servers here and there :-) >> I'm wondering IF Geoserver (as being a public faced java application) >> is vulnarable or not... >> >> Anybody can confirm Geoserver (or Tomcat) use log4j(2?) <=2.14.1? >> Or actually should Geoserver users do the mitigation actions written >> in the apache security link? >> OR totally is not affected... >> >> Any hints appreciated, >> >> Regards, >> >> Richard Duivenvoorde >> >> >> _______________________________________________ >> Geoserver-devel mailing list >> Geoserver-devel@lists.sourceforge.net >> <mailto:Geoserver-devel@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >> <https://lists.sourceforge.net/lists/listinfo/geoserver-devel> >> >> -- >> -- >> Jody Garnett > > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel -- Marc Jansen — Geschäftsführer — terrestris GmbH & Co. KG Kölnstraße 99 53111 Bonn Tel: +49 (0)228 / 96 28 99 -53 Fax: +49 (0)228 / 96 28 99 -57 Email: jan...@terrestris.de Web: https://www.terrestris.de Amtsgericht Bonn, HRA 6835 Komplementärin: terrestris Verwaltungsgesellschaft mbH vertreten durch: Torsten Brassat, Marc Jansen Informationen über Ihre gespeicherten Daten finden Sie auf unserer Homepage unter folgendem Link: https://www.terrestris.de/datenschutzerklaerung/ _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
