We actually have a call out for sponsors and proposals on replacing the
log4j1 library:
http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html
Please support geoserver!
--
Jody Garnett
On Mon, 24 Jan 2022 at 03:52, Andrea Aime
wrote:
> See
> http://geoserver.org/behind%20the%
See http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html
If you and your customers are in urgent need for this upgrade, don't
hesitate to sponsor the effort.
Cheers
Andrea
On Mon, Jan 10, 2022 at 5:32 PM Ron Lindhoudt via Geoserver-users <
geoserver-users@lists.sourceforge.n
@lists.sourceforge.net; Mark Prins
Subject: Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer
Our customers are demanding to support the latest version of log4j in
Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is
EOL.
On the Geoserver website I found this (13-12
Currently there are no plans to change the logging framework. The question
is how much do you and your customers want to make this change happen? Even
estimating the cost of the update is probably several days work, so until
we get funding to start looking there isn't even a plan.
There is a chanc
Our customers are demanding to support the latest version of log4j in
Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is
EOL.On the Geoserver website I found this (13-12-2021):
We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and are
actively loo
On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:
Hello!
Thank you very much for providing the geoserver.war:
log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check (
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
Hello!
Thank you very much for providing the geoserver.war:
log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check (
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
)
The library is still classified as critical:
geoserver.war: log4j-1
Our official statement covers both vulnerabilities, please read:
http://geoserver.org/announcements/2021/12/13/logj4-rce-statement.html
Cheers
Andrea
On Thu, Dec 16, 2021 at 2:28 PM Ron Lindhoudt via Geoserver-users <
geoserver-users@lists.sourceforge.net> wrote:
> I understand that the GeoTool
I understand that the GeoTools/Geoserver community has made a fix to address
the JMSAppender vulnerability:
log4j-1.2.17.norce.jarhttps://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar
But there also an older vulnerability
https://nvd.nist.gov/vuln/
Hi,
please be aware that also log4j 1.x might be affected when using the
JMSAppender in the configuration!
From the log4j project website:
Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j
1.x are only vulnerable to this attack when they use JNDI in their
configura
10 matches
Mail list logo
