We actually have a call out for sponsors and proposals on replacing the log4j1 library: http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html
Please support geoserver! -- Jody Garnett On Mon, 24 Jan 2022 at 03:52, Andrea Aime <andrea.a...@geosolutionsgroup.com> wrote: > See > http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html > > If you and your customers are in urgent need for this upgrade, don't > hesitate to sponsor the effort. > > Cheers > Andrea > > > On Mon, Jan 10, 2022 at 5:32 PM Ron Lindhoudt via Geoserver-users < > geoserver-users@lists.sourceforge.net> wrote: > >> Our customers are demanding to support the latest version of log4j in >> Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* >> is EOL. >> On the Geoserver website I found this (13-12-2021): >> >> We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, >> and are actively looking for funding to perform an upgrade to more recent >> versions of them. All new logging libraries have a different API and a >> different configuration file layout, with potential backwards compatibility >> issues, so this will be likely done on newer versions of GeoServer (2.21.x). >> >> What is the status at this moment? >> >> Thanks, >> Ron >> On Monday, 20 December 2021, 11:38:54 CET, Mark Prins <mc.pr...@gmail.com> >> wrote: >> >> >> On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote: >> > Hello! >> > Thank you very much for providing the geoserver.war: >> > log4j-1.2.17.norce.jar. >> > I have integrated into geoserver and ran a OWASP dependency check ( >> > https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html >> >> > < >> https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html >> >) >> > >> > The library is still classified as critical: >> > geoserver.war: log4j-1.2.17.norce.jar >> > cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:* >> > pkg:maven/log4j/log4j@1.2.17-norce CRITICAL 2 Highest 27 >> > >> > Do you think it is possible and a good idea to register the library as >> > "safe" in the central database? >> >> No, this is not a new release but the same release with some files >> removed and a way of preventing people from shooting themselves in the >> foot because they can no longer configure the culprit appenders. >> >> After inspection of the new jar file you can add a suppression for false >> positives like >> >> <suppress> >> <notes> >> <![CDATA[ >> >> CVE-2019-17571 log4j Socket Server >> CVE-2020-9488 log4j SMTP appender >> CVE-2021-4104 log4j JMSAppender >> ]]> >> </notes> >> <gav regex="true">^log4j:log4j:1\.2\.17$</gav> >> <cve>CVE-2019-17571</cve> >> <cve>CVE-2020-9488</cve> >> <cve>CVE-2021-4104</cve> >> </suppress> >> >> >> >> >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> > > > -- > > Regards, > > Andrea Aime > > == > GeoServer Professional Services from the experts! > > Visit http://bit.ly/gs-services-us for more information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 333 8128928 > > https://www.geosolutionsgroup.com/ > > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential or > otherwise protected from disclosure. We remind that - as provided by > European Regulation 2016/679 “GDPR” - copying, dissemination or use of this > e-mail or the information herein by anyone other than the intended > recipient is prohibited. If you have received this email by mistake, please > notify us immediately by telephone or e-mail > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users