subject:"\[ofbiz\-framework\] branch trunk updated\: Fixed\: \[SECURITY\] CVE\-2021\-44832\: Apache Log4j2 \(OFBIZ\-12475\)"

Re: [ofbiz-framework] branch trunk updated: Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)

2021-12-30 Thread Pierre Smits

Hi Jacques,

Re: OFBiz R22, I would like to see PR355 implemented.
Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz  since
2008 (without privileges)
Proud contributor to the ASF since 2006

*Apache Directory , PMC Member*


On Fri, Dec 31, 2021 at 8:25 AM jler...@apache.org 
wrote:

> Hi Jacopo, All,
>
> Ready to release 18.12.05?
>
> Also it'd be good to ASAP freeze 22.01. Then I'll adapt BuildBot config
> and ask Infra to restart the demos. We will need to also trivially update
> README.adoc. I'll put that in the freeze part of the release plan page in
> wiki.
>
> TIA
>
> Happy holidays :)
>
> Jacques
>
> Le 29/12/2021 à 09:05, jler...@apache.org a écrit :
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > jleroux pushed a commit to branch trunk
> > in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
> >
> >
> > The following commit(s) were added to refs/heads/trunk by this push:
> >   new a744965  Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2
> (OFBIZ-12475)
> > a744965 is described below
> >
> > commit a7449655678460ecd84ce6c04f7cc90bb55d1ea5
> > Author: Jacques Le Roux 
> > AuthorDate: Wed Dec 29 08:51:55 2021 +0100
> >
> >  Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
> >
> >  See complete explanation at
> https://issues.apache.org/jira/browse/OFBIZ-12475
> > ---
> >   build.gradle | 14 +++---
> >   1 file changed, 7 insertions(+), 7 deletions(-)
> >
> > diff --git a/build.gradle b/build.gradle
> > index 99206c3..0dc7486 100644
> > --- a/build.gradle
> > +++ b/build.gradle
> > @@ -217,8 +217,8 @@ dependencies {
> >   implementation
> 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
> >   implementation
> 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
> >   implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
> > -implementation 'org.apache.logging.log4j:log4j-api:2.17.0' // the
> API of log4j 2
> > -implementation 'org.apache.logging.log4j:log4j-core:2.17.0' //
> Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
> > +implementation 'org.apache.logging.log4j:log4j-api:2.17.1' // the
> API of log4j 2
> > +implementation 'org.apache.logging.log4j:log4j-core:2.17.1' //
> Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
> >   implementation 'org.apache.poi:poi:4.1.2' //
> poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server
> >   implementation 'org.apache.pdfbox:pdfbox:2.0.24'
> >   implementation 'org.apache.shiro:shiro-core:1.8.0'
> > @@ -256,11 +256,11 @@ dependencies {
> >   runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9' //
> Above: SOAPEventHandler.java:42: error: package
> org.apache.axiom.om.impl.builder does not exist
> >   runtimeOnly 'org.apache.derby:derby:10.14.2.0'  // So far we did
> not update from 10.14.2.0 because of a compile issue. You may try w/ a
> newer version than 10.15.1.3
> >   runtimeOnly
> 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
> > -runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for
> external jars using the old log4j1.2: routes logging to log4j 2
> > -runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.0' // for
> external jars using the java.util.logging: routes logging to log4j 2
> > -runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' //
> for external jars using slf4j: routes logging to log4j 2
> > -runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.0' //???
> > -runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to
> constrain to version to avoid classpath conflict (ReflectionUtil)
> > +runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.1' // for
> external jars using the old log4j1.2: routes logging to log4j 2
> > +runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.1' // for
> external jars using the java.util.logging: routes logging to log4j 2
> > +runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1' //
> for external jars using slf4j: routes logging to log4j 2
> > +runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.1' //???
> > +runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.1' // need to
> constrain to version to avoid classpath conflict (ReflectionUtil)
> >   runtimeOnly
> 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
> >
> >   // Dependencies defined by the plugins
>

Re: [ofbiz-framework] branch trunk updated: Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)

2021-12-30 Thread jler...@apache.org


Hi Jacopo, All,

Ready to release 18.12.05?

Also it'd be good to ASAP freeze 22.01. Then I'll adapt BuildBot config and ask Infra to restart the demos. We will need to also trivially update 
README.adoc. I'll put that in the freeze part of the release plan page in wiki.


TIA

Happy holidays :)

Jacques

Le 29/12/2021 à 09:05, jler...@apache.org a écrit :

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
  new a744965  Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
a744965 is described below

commit a7449655678460ecd84ce6c04f7cc90bb55d1ea5
Author: Jacques Le Roux 
AuthorDate: Wed Dec 29 08:51:55 2021 +0100

 Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
 
 See complete explanation at https://issues.apache.org/jira/browse/OFBIZ-12475

---
  build.gradle | 14 +++---
  1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/build.gradle b/build.gradle
index 99206c3..0dc7486 100644
--- a/build.gradle
+++ b/build.gradle
@@ -217,8 +217,8 @@ dependencies {
  implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
  implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
  implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
-implementation 'org.apache.logging.log4j:log4j-api:2.17.0' // the API of 
log4j 2
-implementation 'org.apache.logging.log4j:log4j-core:2.17.0' // Somehow 
needed by Buildbot to compile OFBizDynamicThresholdFilter.java
+implementation 'org.apache.logging.log4j:log4j-api:2.17.1' // the API of 
log4j 2
+implementation 'org.apache.logging.log4j:log4j-core:2.17.1' // Somehow 
needed by Buildbot to compile OFBizDynamicThresholdFilter.java
  implementation 'org.apache.poi:poi:4.1.2' // 
poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server
  implementation 'org.apache.pdfbox:pdfbox:2.0.24'
  implementation 'org.apache.shiro:shiro-core:1.8.0'
@@ -256,11 +256,11 @@ dependencies {
  runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9' // Above: 
SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does 
not exist
  runtimeOnly 'org.apache.derby:derby:10.14.2.0'  // So far we did not 
update from 10.14.2.0 because of a compile issue. You may try w/ a newer 
version than 10.15.1.3
  runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
-runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for 
external jars using the old log4j1.2: routes logging to log4j 2
-runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.0' // for external 
jars using the java.util.logging: routes logging to log4j 2
-runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' // for 
external jars using slf4j: routes logging to log4j 2
-runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.0' //???
-runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to 
constrain to version to avoid classpath conflict (ReflectionUtil)
+runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.1' // for 
external jars using the old log4j1.2: routes logging to log4j 2
+runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.1' // for external 
jars using the java.util.logging: routes logging to log4j 2
+runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1' // for 
external jars using slf4j: routes logging to log4j 2
+runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.1' //???
+runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.1' // need to 
constrain to version to avoid classpath conflict (ReflectionUtil)
  runtimeOnly 
'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
  
  // Dependencies defined by the plugins

Re: [ofbiz-framework] branch trunk updated: Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)

Re: [ofbiz-framework] branch trunk updated: Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)

2 matches

Site Navigation

Mail list logo

Footer information