See http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html
If you and your customers are in urgent need for this upgrade, don't hesitate to sponsor the effort. Cheers Andrea On Mon, Jan 10, 2022 at 5:32 PM Ron Lindhoudt via Geoserver-users < geoserver-users@lists.sourceforge.net> wrote: > Our customers are demanding to support the latest version of log4j in > Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* > is EOL. > On the Geoserver website I found this (13-12-2021): > > We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and > are actively looking for funding to perform an upgrade to more recent > versions of them. All new logging libraries have a different API and a > different configuration file layout, with potential backwards compatibility > issues, so this will be likely done on newer versions of GeoServer (2.21.x). > > What is the status at this moment? > > Thanks, > Ron > On Monday, 20 December 2021, 11:38:54 CET, Mark Prins <mc.pr...@gmail.com> > wrote: > > > On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote: > > Hello! > > Thank you very much for providing the geoserver.war: > > log4j-1.2.17.norce.jar. > > I have integrated into geoserver and ran a OWASP dependency check ( > > https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html > > > < > https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html > >) > > > > The library is still classified as critical: > > geoserver.war: log4j-1.2.17.norce.jar > > cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:* > > pkg:maven/log4j/log4j@1.2.17-norce CRITICAL 2 Highest 27 > > > > Do you think it is possible and a good idea to register the library as > > "safe" in the central database? > > No, this is not a new release but the same release with some files > removed and a way of preventing people from shooting themselves in the > foot because they can no longer configure the culprit appenders. > > After inspection of the new jar file you can add a suppression for false > positives like > > <suppress> > <notes> > <![CDATA[ > > CVE-2019-17571 log4j Socket Server > CVE-2020-9488 log4j SMTP appender > CVE-2021-4104 log4j JMSAppender > ]]> > </notes> > <gav regex="true">^log4j:log4j:1\.2\.17$</gav> > <cve>CVE-2019-17571</cve> > <cve>CVE-2020-9488</cve> > <cve>CVE-2021-4104</cve> > </suppress> > > > > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions Group phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 333 8128928 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users