Re: Any ports use log4j 2?

2021-12-14 Thread Gerben Wierda via macports-users 
I see in GitHub that the mitigation for apache-solr8 has already been added 
(together with the 0.8.11 update). Great work!

Gerben Wierda (LinkedIn )
R&A IT Strategy  (main site)
Book: Chess and the Art of Enterprise Architecture 
Book: Mastering ArchiMate 

> On 14 Dec 2021, at 15:36, Gerben Wierda via macports-users 
>  wrote:
> 
> It is super scary.
> 
> Apache solr8 is vulnerable. There is no 0.8.11 yet. Mitigation required:
> 
>   • (Linux/MacOS) Edit your solr.in.sh file to include: 
> SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
> 
> 
> Gerben Wierda (LinkedIn )
> R&A IT Strategy  (main site)
> Book: Chess and the Art of Enterprise Architecture 
> 
> Book: Mastering ArchiMate 
> 
>> On 11 Dec 2021, at 18:24, Richard L. Hamilton > > wrote:
>> 
>> CVE-2021-44228 sounds kinda scary!
>> 
>> -- 
>> eMail:   mailto:rlha...@smart.net 
>> 
>> 
>> 
>> 
>> 
>

Re: Any ports use log4j 2?

2021-12-14 Thread Gerben Wierda via macports-users 
It is super scary.

Apache solr8 is vulnerable. There is no 0.8.11 yet. Mitigation required:

• (Linux/MacOS) Edit your solr.in.sh file to include: 
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"


Gerben Wierda (LinkedIn )
R&A IT Strategy  (main site)
Book: Chess and the Art of Enterprise Architecture 
Book: Mastering ArchiMate 

> On 11 Dec 2021, at 18:24, Richard L. Hamilton  wrote:
> 
> CVE-2021-44228 sounds kinda scary!
> 
> -- 
> eMail:mailto:rlha...@smart.net 
> 
> 
> 
> 
>

Re: Any ports use log4j 2?

2021-12-11 Thread Perry Lee 
On Sat, Dec 11, 2021, at 10:34 AM, Ryan Schmidt wrote:
> On Dec 11, 2021, at 11:24, Richard L. Hamilton wrote:
>
>> CVE-2021-44228 sounds kinda scary!
>
> We appear to have a jakarta-log4j port but it is version 1.x, not 2.

Log4j 1.x isn't affected by that CVE [1], though there is a vulnerability that 
depends on configuration, not user input [2].

[1] https://github.com/apache/logging-log4j2/pull/608#issuecomment-991387493
[2] https://github.com/apache/logging-log4j2/pull/608#issuecomment-991730650

Re: Any ports use log4j 2?

2021-12-11 Thread Ryan Schmidt 


On Dec 11, 2021, at 11:24, Richard L. Hamilton wrote:

> CVE-2021-44228 sounds kinda scary!

We appear to have a jakarta-log4j port but it is version 1.x, not 2.

Any ports use log4j 2?

2021-12-11 Thread Richard L. Hamilton 
CVE-2021-44228 sounds kinda scary!

-- 
eMail:  mailto:rlha...@smart.net