subject:"Re\: \[cas\-user\] Re\: log4j vulnerability remediation"

Re: [cas-user] Re: log4j vulnerability remediation

2021-12-16 Thread Jennifer LaVoie

Thanks, Lars.  Very helpful

On Thu, Dec 16, 2021 at 11:18 AM Lars Feistner 
wrote:

> Hi,
>
> just in case anyone out there is still using the 5.3.x version and
> building the overlay with maven.
> I have added these lines to the dependencies section:
> 
>   org.apache.logging.log4j
>   log4j-api
>   ${log4j.version}
>   runtime
> 
> 
>   org.apache.logging.log4j
>   log4j-core
>   ${log4j.version}
>   runtime
> 
> 
>   org.apache.logging.log4j
>   log4j-jcl
>   ${log4j.version}
>   runtime
> 
> 
>   org.apache.logging.log4j
>   log4j-slf4j-impl
>   ${log4j.version}
>   runtime
> 
> 
>   org.apache.logging.log4j
>   log4j-web
>   ${log4j.version}
>   runtime
> 
> and these lines to the excludes section of the maven-war-plugin
> 
> 
>   org.apereo.cas
>   cas-server-webapp${app.server}
>   
> WEB-INF/lib/log4j-api-2.12.1.jar
> WEB-INF/lib/log4j-core-2.12.1.jar
> WEB-INF/lib/log4j-jcl-2.12.1.jar
> WEB-INF/lib/log4j-slf4j-impl-2.12.1.jar
> WEB-INF/lib/log4j-web-2.12.1.jar
>   
> 
>   
>
> Best regards,
> Lars
>
>
>
> On 15.12.21 21:24, Baba Ndiaye wrote:
>
> Thank you Jeff
>
> Le mercredi 15 décembre 2021 à 19:46:39 UTC, jeffrey...@gmail.com a
> écrit :
>
>> I did this based on what was posted earlier in the thread to update 6.2.
>>
>> -- add to build.gradle dependencies section
>>
>> implementation "org.apache.logging.log4j:log4j-api:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-core:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-web:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"
>>
>> -- add to the end of build.gradle
>>
>> bootWar {
>> entryCompression = ZipEntryCompression.STORED
>> overlays {
>> cas {
>> from
>> "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war
>> "
>> provided = false
>> excludes =
>> ["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
>> }
>> }
>> }
>>
>> I would recommend you unpack the new war once it is built and update the
>> excludes list as needed.
>>
>> -Jeff
>> -Jeff
>>
>>
>> On Wed, Dec 15, 2021 at 2:22 PM Baba Ndiaye  wrote:
>>
>>> good evening
>>>
>>> I would like to know if we make an update of log4j 2.16 how to know if CAS 
>>> has supported it (use it) and also for the update we only need to add this 
>>> lines
>>>
>>>
>>> dependencies {compile "org.apache.logging.log4j:log4j-api:2.15.0"
>>> compile "org.apache.logging.log4j:log4j-core:2.15.0"compile 
>>> "org.apache.logging.log4j:log4j-jcl:2.15.0"compile 
>>> "org.apache.logging.log4j:log4j-jul:2.15.0"compile 
>>> "org.apache.logging.log4j:log4j-web:2.15.0"compile 
>>> "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"}
>>>
>>>
>>> Le mer. 15 déc. 2021 à 03:43, Jeffrey Ramsay  a
>>> écrit :
>>>
 Robert and Joe,

 Your examples were really helpful. I was able to combine the steps and
 patch our systems.

 Thanks,
 -Jeff

 On Tue, Dec 14, 2021 at 1:58 PM Pablo Vidaurri 
 wrote:

> Note v2.16.0 is now out  a patch for the patch
>
> On Tuesday, December 14, 2021 at 10:02:48 AM UTC-6 apereo_cas_user
> wrote:
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have 
>> issues
>> when upgrading to 6.3.7.2
>>
>> Thanks
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org
> 
> .
>
 --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://go

Re: [cas-user] Re: log4j vulnerability remediation

2021-12-16 Thread Lars Feistner


Hi,

just in case anyone out there is still using the 5.3.x version and 
building the overlay with maven.

I have added these lines to the dependencies section:

  org.apache.logging.log4j
  log4j-api
  ${log4j.version}
  runtime
    
    
  org.apache.logging.log4j
  log4j-core
  ${log4j.version}
  runtime
    
    
  org.apache.logging.log4j
  log4j-jcl
  ${log4j.version}
  runtime
    
    
  org.apache.logging.log4j
  log4j-slf4j-impl
  ${log4j.version}
  runtime
    
    
  org.apache.logging.log4j
  log4j-web
  ${log4j.version}
  runtime
    
and these lines to the excludes section of the maven-war-plugin

    
  org.apereo.cas
cas-server-webapp${app.server}
  
WEB-INF/lib/log4j-api-2.12.1.jar
WEB-INF/lib/log4j-core-2.12.1.jar
WEB-INF/lib/log4j-jcl-2.12.1.jar
WEB-INF/lib/log4j-slf4j-impl-2.12.1.jar
WEB-INF/lib/log4j-web-2.12.1.jar
  
    
  

Best regards,
Lars



On 15.12.21 21:24, Baba Ndiaye wrote:

Thank you Jeff

Le mercredi 15 décembre 2021 à 19:46:39 UTC, jeffrey...@gmail.com a 
écrit :


I did this based on what was posted earlier in the thread
to update 6.2.

-- add to build.gradle dependencies section

    implementation "org.apache.logging.log4j:log4j-api:2.16.0"
    implementation "org.apache.logging.log4j:log4j-core:2.16.0"
    implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
    implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
    implementation "org.apache.logging.log4j:log4j-web:2.16.0"
    implementation
"org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"

-- add to the end of build.gradle

bootWar {
    entryCompression = ZipEntryCompression.STORED
    overlays {
        cas {
            from

"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
            provided = false
            excludes =
["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
        }
    }
}

I would recommend you unpack the new war once it is built and
update the excludes list as needed.

-Jeff
-Jeff


On Wed, Dec 15, 2021 at 2:22 PM Baba Ndiaye 
wrote:

good evening

I would like to know if we make an update of log4j 2.16 how to
know if CAS has supported it (use it) and also for the update
we only need to add this lines

dependencies {     compile
"org.apache.logging.log4j:log4j-api:2.15.0"     compile
"org.apache.logging.log4j:log4j-core:2.15.0"     compile
"org.apache.logging.log4j:log4j-jcl:2.15.0"     compile
"org.apache.logging.log4j:log4j-jul:2.15.0"     compile
"org.apache.logging.log4j:log4j-web:2.15.0"     compile
"org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0" }


Le mer. 15 déc. 2021 à 03:43, Jeffrey Ramsay
 a écrit :

Robert and Joe,

Your examples were really helpful. I was able to combine
the steps and patch our systems.

Thanks,
-Jeff

On Tue, Dec 14, 2021 at 1:58 PM Pablo Vidaurri
 wrote:

Note v2.16.0 is now out  a patch for the patch

On Tuesday, December 14, 2021 at 10:02:48 AM UTC-6
apereo_cas_user wrote:

We use cas 6.1.7  overlay template [still in
pre-prod] for delegated authentication.
As a temp solution we replaced log4j 2.12.1 with
2.15.0 manually and bounced tomcat.
Is there a way we can exclude 2.12.1 from the
build . [I can pull in 2.15.0 by adding in
build.gradle but conflict with 2.12.1]. We have
issues when upgrading to 6.3.7.2

Thanks

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed
to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org

.

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- L

Re: [cas-user] Re: log4j vulnerability remediation

2021-12-15 Thread Baba Ndiaye

Eventually i'm using JSON for service registry but i have this
unzip -l /var/lib/tomcat9/webapps/cas.war | grep log4j
35359  2021-12-15 21:05   WEB-INF/lib/log4j-web-2.16.0.jar
21248  2021-12-15 21:05   WEB-INF/lib/log4j-slf4j18-impl-2.16.0.jar
  1789565  2021-12-15 21:05   WEB-INF/lib/log4j-core-2.16.0.jar
12847  2021-12-15 21:05   WEB-INF/lib/log4j-jcl-2.16.0.jar
30977  2021-12-15 21:05   WEB-INF/lib/log4j-jul-2.16.0.jar
   301892  2021-12-15 21:05   WEB-INF/lib/log4j-api-2.16.0.jar
26461  2021-12-15 22:08   WEB-INF/lib/log4j-jul-2.14.1.jar
12694  2021-12-15 22:08   WEB-INF/lib/log4j-jcl-2.14.1.jar
20688  2021-12-15 22:08   WEB-INF/lib/log4j-slf4j18-impl-2.14.1.jar
   300365  2021-12-15 22:08   WEB-INF/lib/log4j-api-2.14.1.jar
35337  2021-12-15 22:08   WEB-INF/lib/log4j-web-2.14.1.jar
 4774  2021-12-15 22:08
WEB-INF/lib/spring-boot-starter-log4j2-2.5.4.jar
  1745700  2021-12-15 22:08   WEB-INF/lib/log4j-core-2.14.1.jar
   180352  2021-12-15 22:08
WEB-INF/lib/log4j-layout-template-json-2.14.1.jar

WEB-INF/lib/log4j-core-2.14.1.jar  and
WEB-INF/lib/log4j-layout-template-json-2.14.1.jar are always log4j 2.14.1
any issue please

Le mer. 15 déc. 2021 à 20:24, Baba Ndiaye  a écrit :

> Thank you Jeff
>
> Le mercredi 15 décembre 2021 à 19:46:39 UTC, jeffrey...@gmail.com a
> écrit :
>
>> I did this based on what was posted earlier in the thread to update 6.2.
>>
>> -- add to build.gradle dependencies section
>>
>> implementation "org.apache.logging.log4j:log4j-api:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-core:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-web:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"
>>
>> -- add to the end of build.gradle
>>
>> bootWar {
>> entryCompression = ZipEntryCompression.STORED
>> overlays {
>> cas {
>> from
>> "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war
>> "
>> provided = false
>> excludes =
>> ["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
>> }
>> }
>> }
>>
>> I would recommend you unpack the new war once it is built and update the
>> excludes list as needed.
>>
>> -Jeff
>> -Jeff
>>
>>
>> On Wed, Dec 15, 2021 at 2:22 PM Baba Ndiaye  wrote:
>>
>>> good evening
>>>
>>> I would like to know if we make an update of log4j 2.16 how to know if CAS 
>>> has supported it (use it) and also for the update we only need to add this 
>>> lines
>>>
>>>
>>> dependencies {
>>> compile "org.apache.logging.log4j:log4j-api:2.15.0"
>>> compile "org.apache.logging.log4j:log4j-core:2.15.0"
>>> compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
>>> compile "org.apache.logging.log4j:log4j-jul:2.15.0"
>>> compile "org.apache.logging.log4j:log4j-web:2.15.0"
>>> compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
>>> }
>>>
>>>
>>> Le mer. 15 déc. 2021 à 03:43, Jeffrey Ramsay  a
>>> écrit :
>>>
 Robert and Joe,

 Your examples were really helpful. I was able to combine the steps and
 patch our systems.

 Thanks,
 -Jeff

 On Tue, Dec 14, 2021 at 1:58 PM Pablo Vidaurri 
 wrote:

> Note v2.16.0 is now out  a patch for the patch
>
> On Tuesday, December 14, 2021 at 10:02:48 AM UTC-6 apereo_cas_user
> wrote:
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have 
>> issues
>> when upgrading to 6.3.7.2
>>
>> Thanks
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org
> 
> .
>
 --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Grou

Re: [cas-user] Re: log4j vulnerability remediation

2021-12-15 Thread Baba Ndiaye

Thank you Jeff

Le mercredi 15 décembre 2021 à 19:46:39 UTC, jeffrey...@gmail.com a écrit :

> I did this based on what was posted earlier in the thread to update 6.2.
>
> -- add to build.gradle dependencies section
>
> implementation "org.apache.logging.log4j:log4j-api:2.16.0"
> implementation "org.apache.logging.log4j:log4j-core:2.16.0"
> implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
> implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
> implementation "org.apache.logging.log4j:log4j-web:2.16.0"
> implementation "org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"
>
> -- add to the end of build.gradle
>
> bootWar {
> entryCompression = ZipEntryCompression.STORED
> overlays {
> cas {
> from 
> "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
> provided = false
> excludes = 
> ["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
> }
> }
> }
>
> I would recommend you unpack the new war once it is built and update the 
> excludes list as needed.
>
> -Jeff
> -Jeff
>
>
> On Wed, Dec 15, 2021 at 2:22 PM Baba Ndiaye  wrote:
>
>> good evening 
>>
>> I would like to know if we make an update of log4j 2.16 how to know if CAS 
>> has supported it (use it) and also for the update we only need to add this 
>> lines 
>>
>>
>> dependencies {
>> compile "org.apache.logging.log4j:log4j-api:2.15.0"
>> compile "org.apache.logging.log4j:log4j-core:2.15.0"
>> compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
>> compile "org.apache.logging.log4j:log4j-jul:2.15.0"
>> compile "org.apache.logging.log4j:log4j-web:2.15.0"
>> compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
>> }
>>
>>
>> Le mer. 15 déc. 2021 à 03:43, Jeffrey Ramsay  a 
>> écrit :
>>
>>> Robert and Joe,
>>>
>>> Your examples were really helpful. I was able to combine the steps and 
>>> patch our systems.
>>>
>>> Thanks,
>>> -Jeff
>>>
>>> On Tue, Dec 14, 2021 at 1:58 PM Pablo Vidaurri  
>>> wrote:
>>>
 Note v2.16.0 is now out  a patch for the patch

 On Tuesday, December 14, 2021 at 10:02:48 AM UTC-6 apereo_cas_user 
 wrote:

> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
> bounced tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have 
> issues 
> when upgrading to 6.3.7.2 
>
> Thanks
>
> -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org
  
 
 .

>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTzLyDsd-6wUFAJVjOYJkh5Jod95QTAkDH1zi5G8rY7AA%40mail.gmail.com
>>>  
>>> 
>>> .
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>>
> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFu1ZRtQxm252-6fc7zpj0k23Nd8WPXqf76AKXbNEhmrGuSN7w%40mail.gmail.com
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- G

Re: [cas-user] Re: log4j vulnerability remediation

2021-12-15 Thread Jeffrey Ramsay

I did this based on what was posted earlier in the thread to update 6.2.

-- add to build.gradle dependencies section

implementation "org.apache.logging.log4j:log4j-api:2.16.0"
implementation "org.apache.logging.log4j:log4j-core:2.16.0"
implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
implementation "org.apache.logging.log4j:log4j-web:2.16.0"
implementation "org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"

-- add to the end of build.gradle

bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from
"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war
"
provided = false
excludes =
["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
}
}
}

I would recommend you unpack the new war once it is built and update the
excludes list as needed.

-Jeff
-Jeff


On Wed, Dec 15, 2021 at 2:22 PM Baba Ndiaye  wrote:

> good evening
>
> I would like to know if we make an update of log4j 2.16 how to know if CAS 
> has supported it (use it) and also for the update we only need to add this 
> lines
>
>
> dependencies {
> compile "org.apache.logging.log4j:log4j-api:2.15.0"
> compile "org.apache.logging.log4j:log4j-core:2.15.0"
> compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
> compile "org.apache.logging.log4j:log4j-jul:2.15.0"
> compile "org.apache.logging.log4j:log4j-web:2.15.0"
> compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
> }
>
>
> Le mer. 15 déc. 2021 à 03:43, Jeffrey Ramsay  a
> écrit :
>
>> Robert and Joe,
>>
>> Your examples were really helpful. I was able to combine the steps and
>> patch our systems.
>>
>> Thanks,
>> -Jeff
>>
>> On Tue, Dec 14, 2021 at 1:58 PM Pablo Vidaurri 
>> wrote:
>>
>>> Note v2.16.0 is now out  a patch for the patch
>>>
>>> On Tuesday, December 14, 2021 at 10:02:48 AM UTC-6 apereo_cas_user wrote:
>>>
 We use cas 6.1.7  overlay template [still in pre-prod] for delegated
 authentication.
 As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
 bounced tomcat.
 Is there a way we can exclude 2.12.1 from the build . [I can pull in
 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
 when upgrading to 6.3.7.2

 Thanks

 --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org
>>> 
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTzLyDsd-6wUFAJVjOYJkh5Jod95QTAkDH1zi5G8rY7AA%40mail.gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFu1ZRtQxm252-6fc7zpj0k23Nd8WPXqf76AKXbNEhmrGuSN7w%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails

Re: [cas-user] Re: log4j vulnerability remediation

2021-12-15 Thread Baba Ndiaye

good evening

I would like to know if we make an update of log4j 2.16 how to know if
CAS has supported it (use it) and also for the update we only need to
add this lines


dependencies {
compile "org.apache.logging.log4j:log4j-api:2.15.0"
compile "org.apache.logging.log4j:log4j-core:2.15.0"
compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
compile "org.apache.logging.log4j:log4j-jul:2.15.0"
compile "org.apache.logging.log4j:log4j-web:2.15.0"
compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
}


Le mer. 15 déc. 2021 à 03:43, Jeffrey Ramsay  a
écrit :

> Robert and Joe,
>
> Your examples were really helpful. I was able to combine the steps and
> patch our systems.
>
> Thanks,
> -Jeff
>
> On Tue, Dec 14, 2021 at 1:58 PM Pablo Vidaurri 
> wrote:
>
>> Note v2.16.0 is now out  a patch for the patch
>>
>> On Tuesday, December 14, 2021 at 10:02:48 AM UTC-6 apereo_cas_user wrote:
>>
>>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
>>> authentication.
>>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
>>> bounced tomcat.
>>> Is there a way we can exclude 2.12.1 from the build . [I can pull in
>>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
>>> when upgrading to 6.3.7.2
>>>
>>> Thanks
>>>
>>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTzLyDsd-6wUFAJVjOYJkh5Jod95QTAkDH1zi5G8rY7AA%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFu1ZRtQxm252-6fc7zpj0k23Nd8WPXqf76AKXbNEhmrGuSN7w%40mail.gmail.com.

Re: [cas-user] Re: log4j vulnerability remediation

2021-12-14 Thread Jeffrey Ramsay

Robert and Joe,

Your examples were really helpful. I was able to combine the steps and
patch our systems.

Thanks,
-Jeff

On Tue, Dec 14, 2021 at 1:58 PM Pablo Vidaurri  wrote:

> Note v2.16.0 is now out  a patch for the patch
>
> On Tuesday, December 14, 2021 at 10:02:48 AM UTC-6 apereo_cas_user wrote:
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
>> when upgrading to 6.3.7.2
>>
>> Thanks
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTzLyDsd-6wUFAJVjOYJkh5Jod95QTAkDH1zi5G8rY7AA%40mail.gmail.com.

Re: [cas-user] Re: log4j vulnerability remediation

Re: [cas-user] Re: log4j vulnerability remediation

Re: [cas-user] Re: log4j vulnerability remediation

Re: [cas-user] Re: log4j vulnerability remediation

Re: [cas-user] Re: log4j vulnerability remediation

Re: [cas-user] Re: log4j vulnerability remediation

Re: [cas-user] Re: log4j vulnerability remediation

7 matches

Site Navigation

Mail list logo

Footer information