[CentOS] log4j cve
Hi List, I see on CentOS 7 it has log4j-1.2.17... Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something was backported to 1.2 ? Thanks, Steve -- Stephen Clark NetWolves Managed Services, LLC. Sr. Applications Architect Email Confidentiality Notice: The information contained in this transmission may contain privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately and delete this email and any attachments from any computer. Vaso Corporation and its subsidiary companies are not responsible for data leaks that result from email messages received that contain privileged and confidential and/or protected health information (PHI). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log4j cve
Hello Steve, Am 2021-12-14 13:42, schrieb Steve Clark via CentOS: Hi List, I see on CentOS 7 it has log4j-1.2.17... Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something was backported to 1.2 ? Thanks, Steve log4j Version 1.2 is definitely *NOT* OK to use. The Apache website https://logging.apache.org/log4j/1.2/ says: "On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life." There is already an unpatched CVE from 2019 for log4j 1.2. It's really time to upgrade. Kind regards, Steve ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log4j cve
On 12/14/21 8:07 AM, Steve Meier wrote: Hello Steve, Am 2021-12-14 13:42, schrieb Steve Clark via CentOS: Hi List, I see on CentOS 7 it has log4j-1.2.17... Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something was backported to 1.2 ? Thanks, Steve log4j Version 1.2 is definitely *NOT* OK to use. The Apache website https://logging.apache.org/log4j/1.2/ says: "On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life." There is already an unpatched CVE from 2019 for log4j 1.2. It's really time to upgrade. Kind regards, Steve This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now. log4j-1.2.17-16.el7_4.noarch -- Stephen Clark NetWolves Managed Services, LLC. Sr. Applications Architect Email Confidentiality Notice: The information contained in this transmission may contain privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately and delete this email and any attachments from any computer. Vaso Corporation and its subsidiary companies are not responsible for data leaks that result from email messages received that contain privileged and confidential and/or protected health information (PHI). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log4j cve
Hello Steve, Am 2021-12-14 14:14, schrieb Steve Clark: This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now. log4j-1.2.17-16.el7_4.noarch yes, that's correct, but it is abandoned nonetheless. According to the RPM's change log, Red Hat backported a fix for CVE-2017-5645. They have not done this for CVE-2019-17571 it seems. I would be very surprised if they'd do so now. Kind regards, Steve ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log4j cve
On 2021-12-14 08:31, Steve Meier wrote: Hello Steve, Am 2021-12-14 14:14, schrieb Steve Clark: This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now. log4j-1.2.17-16.el7_4.noarch yes, that's correct, but it is abandoned nonetheless. According to the RPM's change log, Red Hat backported a fix for CVE-2017-5645. They have not done this for CVE-2019-17571 it seems. I would be very surprised if they'd do so now. Well, given that they indicated on their page for this CVE that they were still investigating the potential for the vulnerability existing in 1.2, it may happen. It would be nice if there was a log4j-2 RPM available for C7, but as of this point, I've not been been able to locate one. -- Mike Burger http://www.bubbanfriends.org "It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log4j cve
> Hello Steve, > > Am 2021-12-14 14:14, schrieb Steve Clark: >> This is the standard version that comes with CentOS 7 and is the >> latest available as of a yum update just now. >> log4j-1.2.17-16.el7_4.noarch > > yes, that's correct, but it is abandoned nonetheless. > > According to the RPM's change log, Red Hat backported a fix for > CVE-2017-5645. > They have not done this for CVE-2019-17571 it seems. > I would be very surprised if they'd do so now. It seems CVE-2019-17571 is also covered by the fix for CVE-2017-5645: https://access.redhat.com/node/4677071 Regards, Simon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log4j cve
On Tue, 2021-12-14 at 14:31 +0100, Steve Meier wrote: > Hello Steve, > > Am 2021-12-14 14:14, schrieb Steve Clark: > > This is the standard version that comes with CentOS 7 and is the > > latest available as of a yum update just now. > > log4j-1.2.17-16.el7_4.noarch > > yes, that's correct, but it is abandoned nonetheless. > > According to the RPM's change log, Red Hat backported a fix for > CVE-2017-5645. > They have not done this for CVE-2019-17571 it seems. > I would be very surprised if they'd do so now. https://access.redhat.com/node/4677071According to that link CVE-2019-17571 is the same issue as CVE-2017- 5645 and both are listed as fixed in this errata: https://access.redhat.com/errata/RHSA-2017:2423 So I think it's fixed. Best regards, markus ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] OT:: Multiple PHP versions
Hello, Been trying to get multiple versions of PHP on a CentOS 7 machine, off and on for the past couple months. I have followed 5 or 6 different howtos but none work. They are very similar and they seems to be done on a fresh install as most do an apache install is the steps. I setup two virtualhosts one for PHP5.6 and one for PHP 7.4. When I create a file with phpinfo, it reports back 5.6.xxx on both sites. So, I'm wondering if I need to remove the existing PHP version that is included with CentOS? Any suggestions or a better way to do this? TIA ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT:: Multiple PHP versions
On 12/14/2021 9:38 AM, TE Dukes wrote: Been trying to get multiple versions of PHP on a CentOS 7 machine, off and on for the past couple months. I have followed 5 or 6 different howtos but none work. They are very similar and they seems to be done on a fresh install as most do an apache install is the steps. I setup two virtualhosts one for PHP5.6 and one for PHP 7.4. When I create a file with phpinfo, it reports back 5.6.xxx on both sites. You should be using Software Collections to install additional versions: https://www.softwarecollections.org/en/about/ Instead of running PHP within the Apache binary, use a proxy. I suggest learning how to use fcgi. Your VirtualHost could include a directive like this: SetHandler "proxy:fcgi://127.0.0.1:9000 Install rh-php73-php-fpm (for example) with yum to run the proxy service. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log4j cve
On Tue, 14 Dec 2021 at 07:42 -, Steve Clark via CentOS wrote: > I see on CentOS 7 it has log4j-1.2.17... > Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something > was backported to 1.2 ? According to https://access.redhat.com/security/vulnerabilities/RHSB-2021-009 Redhat 7 is not impacted by this problem. This may still be something in flux. We are recoving all instances of log4j from our systems, the software using it is not important to us just a convience. Stuart ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT:: Multiple PHP versions
On Tue, 2021-12-14 at 09:57 -0800, Kenneth Porter wrote: > On 12/14/2021 9:38 AM, TE Dukes wrote: > > Been trying to get multiple versions of PHP on a CentOS 7 machine, > > off and > > on for the past couple months. I have followed 5 or 6 different > > howtos but > > none work. They are very similar and they seems to be done on a > > fresh > > install as most do an apache install is the steps. I setup two > > virtualhosts > > one for PHP5.6 and one for PHP 7.4. When I create a file with > > phpinfo, it > > reports back 5.6.xxx on both sites. > > You should be using Software Collections to install additional > versions: > > https://www.softwarecollections.org/en/about/ What about support, i.e. security updates? When I have a look at https://access.redhat.com/support/policy/updates/rhscl-rhel7 The only php SCL on that page that isn't EOL yet is php 7.3 Supported multi php installations seems difficult with that (maybe there is more behind your www.softwarecollections.org link?), although it would be possible to have the original non SCL php 5.4 in addition to the SCL php 7.3. Best Regards, Markus ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 9-stream "CRB" repo
I'm starting to look at CentOS 9-stream... what is the CRB repo? It appears to be a lot of development libraries and such, but I didn't see a definition or "CRB" anywhere. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 9-stream "CRB" repo
Am 15.12.21 um 00:24 schrieb Chris Adams: I'm starting to look at CentOS 9-stream... what is the CRB repo? It appears to be a lot of development libraries and such, but I didn't see a definition or "CRB" anywhere. https://developers.redhat.com/blog/2018/11/15/introducing-codeready-linux-builder -- Leon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 9-stream "CRB" repo
On Tue, 14 Dec 2021 at 18:26, Leon Fauster via CentOS wrote: > > Am 15.12.21 um 00:24 schrieb Chris Adams: > > I'm starting to look at CentOS 9-stream... what is the CRB repo? It > > appears to be a lot of development libraries and such, but I didn't see > > a definition or "CRB" anywhere. > > https://developers.redhat.com/blog/2018/11/15/introducing-codeready-linux-builder It is what in C8 is called PowerTools. -- Stephen J Smoogen. Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT:: Multiple PHP versions
On 12/14/2021 1:15 PM, Markus Falb wrote: The only php SCL on that page that isn't EOL yet is php 7.3 Supported multi php installations seems difficult with that (maybe there is more behind yourwww.softwarecollections.org link?), although it would be possible to have the original non SCL php 5.4 in addition to the SCL php 7.3. The general concept is to install the 3rd party package to /opt and use environment variables like path to drive a service to use the custom location for your desired version. You might find that someone has packaged the version you desire in the COPR system. I used that for BackupPC 4 before it was available in EPEL. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Qemu - enabling "bridge mode" for primary physical interface for VMs
Thank you, I'll be trying this on a spare machine here before I try it in production. Carefully reading the directions, although I see where bridge-br0 is created, I don't see where bridge-slave-em1 is defined? On Tuesday, December 7, 2021 8:25:37 PM PST Chris Adams wrote: > Once upon a time, Lists said: > > I understand that it's possible to allow the 4 VM guest systems to each > > have a "direct" fixed IP address and access the addresses \via the host > > network adapter, while the host retains its fixed IP. > > If you are running NetworkManager (the default), it's not too hard. > Here's an example step-by-step for changing an existing interface "em1" to > be a bridge "br0": > > > # Create a bridge interface > nmcli con add type bridge ifname br0 bridge.stp no > > # Copy all the IPv4/IPv6 config from an existing interface > nmcli con mod bridge-br0 $(nmcli -f > ipv4.method,ipv4.addresses,ipv4.gateway,ipv6.method,ipv6.addresses,ipv6.gat > eway con show em1 | grep -v -- -- | sed 's/: */ /') # -or- just set an IPv4 > address/gateway to known values > nmcli con mod bridge-br0 ipv4.method manual ipv4.address 10.1.1.2/24 > ipv4.gateway 10.1.1.1 ipv6.method ignore > > # Make a connection for the physical ethernet em1 to be part of the bridge > nmcli con add type ethernet ifname em1 master bridge-br0 > > # Switch from the "regular" em1 to the bridge > nmcli con down em1; nmcli con up bridge-br0; nmcli con up bridge-slave-em1 > > # Disable the original config > nmcli con mod em1 autoconnect 0 > > > Then you set your VMs to use the bridge - in the libvirt XML for > example, you'd have something like: > > > > > >function='0x0'/> > > > Inside the VM, configure the interface just as if it was a physical system > on that subnet. signature.asc Description: This is a digitally signed message part. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
