Hi Jody, Our 'OpenGeoGroep' in The Netherlands tries to give back around 10% of our profit to the FOSS projects we are using.
As Geoserver is an important corner stone for Open Geo stuff, and we were looking for candidates at his moment: we cansponsor at least 3 days (depending on tariff). I will contact you in private. Regards, Richard Duivenvoorde On 12/12/21 20:37, Jody Garnett wrote:
We still have not had resources to update to log4j2 … if anyone has budget or 3-5 days of time we would be happy to upgrade and patch for this vulnerability. Seriously our version of log4j is no longer supported and some technical debt that could use some love :) Jody On Sun, Dec 12, 2021 at 1:15 AM Richard Duivenvoorde <rdmaili...@duif.net <mailto:rdmaili...@duif.net>> wrote: Hi Devs, In our national IT security group (and national news) there is an item about an issue with log4j2, pointing to: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228> or https://logging.apache.org/log4j/2.x/security.html <https://logging.apache.org/log4j/2.x/security.html> As I deployed some Geoservers at some servers here and there :-) I'm wondering IF Geoserver (as being a public faced java application) is vulnarable or not... Anybody can confirm Geoserver (or Tomcat) use log4j(2?) <=2.14.1? Or actually should Geoserver users do the mitigation actions written in the apache security link? OR totally is not affected... Any hints appreciated, Regards, Richard Duivenvoorde _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net <mailto:Geoserver-devel@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-devel <https://lists.sourceforge.net/lists/listinfo/geoserver-devel> -- -- Jody Garnett
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
