yeah roller itself did log with log4j 1, however it did pull log4j 2 too
due to the fact that struts was/is using it i just noticed.
So I retract my statement that roller 6.0.2 should not be affected by
this - the attack surface is just smaller.
i unified everything to slf4j and mapped it to log4j 2 as impl some time
ago but this is not in 6.0.2:
https://github.com/apache/roller/pull/68
HEAD on master is using slf4j -> log4j 2.15.0 which contains the fix as
previously mentioned
(i personally use a slf4j -> JFR bridge for my own blog.
https://github.com/mbien/JFRLog )
regards,
michael
On 11.12.21 23:05, Dave wrote:
Nice! I did not remember that 6.0.2 still used Log4j 1.
On Sat, Dec 11, 2021 at 4:20 PM Michael Bien <mbie...@gmail.com> wrote:
Hello Everyone,
Just a heads up in case you are building and running apache roller from
master, please rebuild your instance with the latest changes.
It contains an important dependency update
(https://github.com/apache/roller/pull/106) for log4j 2 which suffered
from a RCE security vulnerability, which was fixed in the latest version.
Apache Roller 6.0.2 (latest release) should not be affected by this
particular vulnerability since it still uses the old log4j 1 library.
best regards,
michael
