Should we upgrade the Wonder jars to v2.16? I realize they are currently on v1.x which isn’t affected by the latest stirrings on the inter webs but maybe this is a good time to move it forward?
v1.x has a small number of vulnerabilities of its own, though most people aren’t affected by them either. > On Dec 16, 2021, at 5:13 PM, Paul Hoadley via Webobjects-dev > <webobjects-dev@lists.apple.com> wrote: > > Just to update this: > > On 14 Dec 2021, at 12:07, Paul Hoadley via Webobjects-dev > <webobjects-dev@lists.apple.com <mailto:webobjects-dev@lists.apple.com>> > wrote: > >> * In any case, if you're definitely using Log4J 2 (we are—I went to some >> effort months ago to set it up!), you can mitigate the issue immediately by >> re-launching all instances with "-Dlog4j2.formatMsgNoLookups=true". > > It turns out that this was not a complete mitigation: > > https://www.lunasec.io/docs/blog/log4j-zero-day/ > <https://www.lunasec.io/docs/blog/log4j-zero-day/> > >> That will give you time to re-build with Log4J 2.15.0. > > And that 2.15.0 was not a complete fix either: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046> > > Current release is 2.16.0, and you should update to that if you're using > Log4J 2. > > https://logging.apache.org/log4j/2.x/security.html > <https://logging.apache.org/log4j/2.x/security.html> > > > -- > Paul Hoadley > https://logicsquad.net/ <https://logicsquad.net/> > https://www.linkedin.com/company/logic-squad/ > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/webobjects-dev/aaron%40chatnbike.com > > This email sent to aa...@chatnbike.com
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
