Re: [oXygen-user] [ann] Security maintenance builds in response to the Log4j vulnerability
Thank you so much! I followed your instructions and deleted the calabash folder. I am so grateful that you were able to help me! From: oXygen-user on behalf of Oxygen XML Editor Support (Radu Coravu) Sent: Friday, December 17, 2021 7:52 AM To: oxygen-user@oxygenxml.com Subject: Re: [oXygen-user] [ann] Security maintenance builds in response to the Log4j vulnerability Hi Lisa, Right now we have on our web site new installation kits fixing the security problem for Oxygen 24.0, 23.1 and we'll soon have the same for Oxygen 22.1. For older Oxygen versions there was only one component in Oxygen uses the Log4j 2.x libraries, the Calabash XProc engine located in "OXYGEN_INSTALL_DIR\lib\xproc\calabash". If you are not using Oxygen to edit XProc files you can remove that "calabash" folder completely. Or you can try to use this small free utility we provide to update all Log4.j 2.x libraries in your Oxygen installation: https://github.com/oxygenxml/oxygen-log4j-patcher Regards, Radu Radu Coravu Oxygen XML Editor On 12/17/21 16:14, McAulay, Lisa wrote: Hi George and Oxygen Users, I apologize for bothering you at this time, but I'm trying to determine my risk with Oxygen XML 21.1, build 2019120214. I see it lists log4j 1.2.17, which I think isn't affected by this log4j problem. I'm hoping so! Best regards, Elizabeth Elizabeth McAulay Head of the Digital Library Program emcaulay /at/ library.ucla.edu https://digital.library.ucla.edu/ [UCLA Library Logo]<https://www.library.ucla.edu/> UCLA acknowledges the Gabrielino/Tongva peoples as the traditional land caretakers of Tovaangar (the Los Angeles basin and So. Channel Islands). As a land grant institution, we pay our respects to the Honuukvetam (Ancestors), ‘Ahiihirom (Elders) and ‘Eyoohiinkem (our relatives/relations) past, present and emerging. From: oXygen-user <mailto:oxygen-user-boun...@oxygenxml.com> on behalf of George Bina <mailto:geo...@oxygenxml.com> Sent: Friday, December 17, 2021 5:35 AM To: oXygen User ML <mailto:oxygen-user@oxygenxml.com> Subject: [oXygen-user] [ann] Security maintenance builds in response to the Log4j vulnerability Hi all, We made available maintenance builds for many of our products to provide a fix for the recent security vulnerabilities related to the Apache Log4j library. These builds cover the latest versions of our products as well as older versions. The corresponding security advisory is updated with the latest information about these issue, you can it at: https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html The new maintenance builds that we made available up to this point are listed below: Oxygen XML Editor == Oxygen XML Editor 24.0 build 2021121518 https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html Oxygen XML Editor 23.1 build 2021121415 https://www.oxygenxml.com/xml_editor/software_archive_editor.html Oxygen XML Author == Oxygen XML Author 24.0 build 2021121518 https://www.oxygenxml.com/xml_author/download_oxygenxml_author.html Oxygen XML Author 23.1 build 2021121415 https://www.oxygenxml.com/xml_author/software_archive_author.html Oxygen XML Developer == Oxygen XML Developer 24.0 build 2021121518 https://www.oxygenxml.com/xml_developer/download_oxygenxml_developer.html Oxygen XML Developer 23.1 build 2021121317 https://www.oxygenxml.com/xml_developer/software_archive_developer.html Oxygen XML Web Author == Oxygen XML Web Author 24.0.0 build 2021121314 https://www.oxygenxml.com/xml_web_author/download_oxygenxml_web_author.html XML Web Author 23.1.1.2 build 2021121408 https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html Oxygen XML Web Author 22.1.0.4 build 2021121415 https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html Oxygen Content Fusion == Oxygen Content Fusion 4.1.4 build 2021121611 https://www.oxygenxml.com/content_fusion/download.html Oxygen Content Fusion 3.0.1 build 2021121414 https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html Oxygen Content Fusion 2.0.3 build 2021121417 https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html Oxygen Feedback == Oxygen Feedback Enterprise 1.4.5 build 2021121314 https://www.oxygenxml.com/oxygen_feedback_enterprise/download.html Oxygen Publishing Engine == Oxygen Publishing Engine 24.0 build 2021121611 https://www.oxygenxml.com/publishing_engine/download.html Oxygen Publishing Engine 23.1 build 2021121413 https://www.oxygenxml.com/publishing_engine/software_archive_publishing_engine.html Oxygen XML WebHelp ==
Re: [oXygen-user] [ann] Security maintenance builds in response to the Log4j vulnerability
Hi Lisa, Right now we have on our web site new installation kits fixing the security problem for Oxygen 24.0, 23.1 and we'll soon have the same for Oxygen 22.1. For older Oxygen versions there was only one component in Oxygen uses the Log4j 2.x libraries, the Calabash XProc engine located in "OXYGEN_INSTALL_DIR\lib\xproc\calabash". If you are not using Oxygen to edit XProc files you can remove that "calabash" folder completely. Or you can try to use this small free utility we provide to update all Log4.j 2.x libraries in your Oxygen installation: https://github.com/oxygenxml/oxygen-log4j-patcher Regards, Radu Radu Coravu Oxygen XML Editor On 12/17/21 16:14, McAulay, Lisa wrote: Hi George and Oxygen Users, I apologize for bothering you at this time, but I'm trying to determine my risk with Oxygen XML 21.1, build 2019120214. I see it lists log4j 1.2.17, which I think isn't affected by this log4j problem. I'm hoping so! Best regards, Elizabeth *Elizabeth McAulay Head of the Digital Library Program* emcaulay /at/ library.ucla.edu https://digital.library.ucla.edu/ UCLA Library Logo <https://www.library.ucla.edu/> UCLA acknowledges the Gabrielino/Tongva peoples as the traditional land caretakers of Tovaangar (the Los Angeles basin and So. Channel Islands). As a land grant institution, we pay our respects to the Honuukvetam (Ancestors), ‘Ahiihirom (Elders) and ‘Eyoohiinkem (our relatives/relations) past, present and emerging. *From:* oXygen-user on behalf of George Bina *Sent:* Friday, December 17, 2021 5:35 AM *To:* oXygen User ML *Subject:* [oXygen-user] [ann] Security maintenance builds in response to the Log4j vulnerability Hi all, We made available maintenance builds for many of our products to provide a fix for the recent security vulnerabilities related to the Apache Log4j library. These builds cover the latest versions of our products as well as older versions. The corresponding security advisory is updated with the latest information about these issue, you can it at: https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html The new maintenance builds that we made available up to this point are listed below: Oxygen XML Editor == Oxygen XML Editor 24.0 build 2021121518 https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html Oxygen XML Editor 23.1 build 2021121415 https://www.oxygenxml.com/xml_editor/software_archive_editor.html Oxygen XML Author == Oxygen XML Author 24.0 build 2021121518 https://www.oxygenxml.com/xml_author/download_oxygenxml_author.html Oxygen XML Author 23.1 build 2021121415 https://www.oxygenxml.com/xml_author/software_archive_author.html Oxygen XML Developer == Oxygen XML Developer 24.0 build 2021121518 https://www.oxygenxml.com/xml_developer/download_oxygenxml_developer.html Oxygen XML Developer 23.1 build 2021121317 https://www.oxygenxml.com/xml_developer/software_archive_developer.html Oxygen XML Web Author == Oxygen XML Web Author 24.0.0 build 2021121314 https://www.oxygenxml.com/xml_web_author/download_oxygenxml_web_author.html XML Web Author 23.1.1.2 build 2021121408 https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html Oxygen XML Web Author 22.1.0.4 build 2021121415 https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html Oxygen Content Fusion == Oxygen Content Fusion 4.1.4 build 2021121611 https://www.oxygenxml.com/content_fusion/download.html Oxygen Content Fusion 3.0.1 build 2021121414 https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html Oxygen Content Fusion 2.0.3 build 2021121417 https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html Oxygen Feedback == Oxygen Feedback Enterprise 1.4.5 build 2021121314 https://www.oxygenxml.com/oxygen_feedback_enterprise/download.html Oxygen Publishing Engine == Oxygen Publishing Engine 24.0 build 2021121611 https://www.oxygenxml.com/publishing_engine/download.html Oxygen Publishing Engine 23.1 build 2021121413 https://www.oxygenxml.com/publishing_engine/software_archive_publishing_engine.html Oxygen XML WebHelp == Oxygen XML WebHelp 24.0 build 2021121511 https://www.oxygenxml.com/xml_webhelp/download_oxygenxml_webhelp.html Oxygen XML WebHelp 23.1 build 2021121412 https://www.oxygenxml.com/xml_webhelp/software_archive_webhelp.html Oxygen PDF Chemistry == Oxygen PDF Chemistry 24.0 build 2021121611 https://www.oxygenxml.com/pdf_chemistry/download.html Oxygen PDF Chemistry 23.1 build 2021121413 https://www.o
Re: [oXygen-user] [ann] Security maintenance builds in response to the Log4j vulnerability
Hi George and Oxygen Users, I apologize for bothering you at this time, but I'm trying to determine my risk with Oxygen XML 21.1, build 2019120214. I see it lists log4j 1.2.17, which I think isn't affected by this log4j problem. I'm hoping so! Best regards, Elizabeth Elizabeth McAulay Head of the Digital Library Program emcaulay /at/ library.ucla.edu https://digital.library.ucla.edu/ [UCLA Library Logo]<https://www.library.ucla.edu/> UCLA acknowledges the Gabrielino/Tongva peoples as the traditional land caretakers of Tovaangar (the Los Angeles basin and So. Channel Islands). As a land grant institution, we pay our respects to the Honuukvetam (Ancestors), ‘Ahiihirom (Elders) and ‘Eyoohiinkem (our relatives/relations) past, present and emerging. From: oXygen-user on behalf of George Bina Sent: Friday, December 17, 2021 5:35 AM To: oXygen User ML Subject: [oXygen-user] [ann] Security maintenance builds in response to the Log4j vulnerability Hi all, We made available maintenance builds for many of our products to provide a fix for the recent security vulnerabilities related to the Apache Log4j library. These builds cover the latest versions of our products as well as older versions. The corresponding security advisory is updated with the latest information about these issue, you can it at: https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html The new maintenance builds that we made available up to this point are listed below: Oxygen XML Editor == Oxygen XML Editor 24.0 build 2021121518 https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html Oxygen XML Editor 23.1 build 2021121415 https://www.oxygenxml.com/xml_editor/software_archive_editor.html Oxygen XML Author == Oxygen XML Author 24.0 build 2021121518 https://www.oxygenxml.com/xml_author/download_oxygenxml_author.html Oxygen XML Author 23.1 build 2021121415 https://www.oxygenxml.com/xml_author/software_archive_author.html Oxygen XML Developer == Oxygen XML Developer 24.0 build 2021121518 https://www.oxygenxml.com/xml_developer/download_oxygenxml_developer.html Oxygen XML Developer 23.1 build 2021121317 https://www.oxygenxml.com/xml_developer/software_archive_developer.html Oxygen XML Web Author == Oxygen XML Web Author 24.0.0 build 2021121314 https://www.oxygenxml.com/xml_web_author/download_oxygenxml_web_author.html XML Web Author 23.1.1.2 build 2021121408 https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html Oxygen XML Web Author 22.1.0.4 build 2021121415 https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html Oxygen Content Fusion == Oxygen Content Fusion 4.1.4 build 2021121611 https://www.oxygenxml.com/content_fusion/download.html Oxygen Content Fusion 3.0.1 build 2021121414 https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html Oxygen Content Fusion 2.0.3 build 2021121417 https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html Oxygen Feedback == Oxygen Feedback Enterprise 1.4.5 build 2021121314 https://www.oxygenxml.com/oxygen_feedback_enterprise/download.html Oxygen Publishing Engine == Oxygen Publishing Engine 24.0 build 2021121611 https://www.oxygenxml.com/publishing_engine/download.html Oxygen Publishing Engine 23.1 build 2021121413 https://www.oxygenxml.com/publishing_engine/software_archive_publishing_engine.html Oxygen XML WebHelp == Oxygen XML WebHelp 24.0 build 2021121511 https://www.oxygenxml.com/xml_webhelp/download_oxygenxml_webhelp.html Oxygen XML WebHelp 23.1 build 2021121412 https://www.oxygenxml.com/xml_webhelp/software_archive_webhelp.html Oxygen PDF Chemistry == Oxygen PDF Chemistry 24.0 build 2021121611 https://www.oxygenxml.com/pdf_chemistry/download.html Oxygen PDF Chemistry 23.1 build 2021121413 https://www.oxygenxml.com/pdf_chemistry/software_archive_chemistry.html Oxygen License Server == Oxygen License Server 24.0 build 2021121311 https://www.oxygenxml.com/license_server/download.html == The Oxygen SDK and some of the plugins that we make available that contain the log4j library were also updated: Oxygen SDK == Oxygen SDK for version 24 is updated to version 24.0.0.2 Oxygen SDK for version 23 is updated to version 23.1.0.4 Oxygen SDK for version 22 is updated to version 22.1.0.6 Please update your dependencies to our SDK to point to the corresponding fix version of the SDK. Web Author PDF Plugin == Web Auth
[oXygen-user] [ann] Security maintenance builds in response to the Log4j vulnerability
Hi all, We made available maintenance builds for many of our products to provide a fix for the recent security vulnerabilities related to the Apache Log4j library. These builds cover the latest versions of our products as well as older versions. The corresponding security advisory is updated with the latest information about these issue, you can it at: https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html The new maintenance builds that we made available up to this point are listed below: Oxygen XML Editor == Oxygen XML Editor 24.0 build 2021121518 https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html Oxygen XML Editor 23.1 build 2021121415 https://www.oxygenxml.com/xml_editor/software_archive_editor.html Oxygen XML Author == Oxygen XML Author 24.0 build 2021121518 https://www.oxygenxml.com/xml_author/download_oxygenxml_author.html Oxygen XML Author 23.1 build 2021121415 https://www.oxygenxml.com/xml_author/software_archive_author.html Oxygen XML Developer == Oxygen XML Developer 24.0 build 2021121518 https://www.oxygenxml.com/xml_developer/download_oxygenxml_developer.html Oxygen XML Developer 23.1 build 2021121317 https://www.oxygenxml.com/xml_developer/software_archive_developer.html Oxygen XML Web Author == Oxygen XML Web Author 24.0.0 build 2021121314 https://www.oxygenxml.com/xml_web_author/download_oxygenxml_web_author.html XML Web Author 23.1.1.2 build 2021121408 https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html Oxygen XML Web Author 22.1.0.4 build 2021121415 https://www.oxygenxml.com/xml_web_author/software_archive_web_author.html Oxygen Content Fusion == Oxygen Content Fusion 4.1.4 build 2021121611 https://www.oxygenxml.com/content_fusion/download.html Oxygen Content Fusion 3.0.1 build 2021121414 https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html Oxygen Content Fusion 2.0.3 build 2021121417 https://www.oxygenxml.com/content_fusion/software_archive_content_fusion.html Oxygen Feedback == Oxygen Feedback Enterprise 1.4.5 build 2021121314 https://www.oxygenxml.com/oxygen_feedback_enterprise/download.html Oxygen Publishing Engine == Oxygen Publishing Engine 24.0 build 2021121611 https://www.oxygenxml.com/publishing_engine/download.html Oxygen Publishing Engine 23.1 build 2021121413 https://www.oxygenxml.com/publishing_engine/software_archive_publishing_engine.html Oxygen XML WebHelp == Oxygen XML WebHelp 24.0 build 2021121511 https://www.oxygenxml.com/xml_webhelp/download_oxygenxml_webhelp.html Oxygen XML WebHelp 23.1 build 2021121412 https://www.oxygenxml.com/xml_webhelp/software_archive_webhelp.html Oxygen PDF Chemistry == Oxygen PDF Chemistry 24.0 build 2021121611 https://www.oxygenxml.com/pdf_chemistry/download.html Oxygen PDF Chemistry 23.1 build 2021121413 https://www.oxygenxml.com/pdf_chemistry/software_archive_chemistry.html Oxygen License Server == Oxygen License Server 24.0 build 2021121311 https://www.oxygenxml.com/license_server/download.html == The Oxygen SDK and some of the plugins that we make available that contain the log4j library were also updated: Oxygen SDK == Oxygen SDK for version 24 is updated to version 24.0.0.2 Oxygen SDK for version 23 is updated to version 23.1.0.4 Oxygen SDK for version 22 is updated to version 22.1.0.6 Please update your dependencies to our SDK to point to the corresponding fix version of the SDK. Web Author PDF Plugin == Web Author PDF Plugin 24.0.0.1 https://www.oxygenxml.com/maven/com/oxygenxml/web-author-publishing-plugin/24.0.0.1 Web Author PDF Plugin 23.1.1.2 https://www.oxygenxml.com/maven/com/oxygenxml/web-author-publishing-plugin/23.1.1.2 Oxygen XML Editor/Author/Developer plugins == Please use the "Help->Manage Add-ons..." action to uninstall previous versions and make sure you installed the latest version of the following add-ons: Oxygen Web Author Test Server Add-on should be updated to version 22.1.1, 23.1.2 or 24.0.1 XSD to JSON Schema Converter should be updated to version 23.1.1 or 24.0.1 Git Client should be update to version 3.0.1 Batch Documents Converter should be updated to version 3.2.1 == We are still working to provide maintenance builds for more of the older versions as well as tools to help automating the mitigation steps. Best Regards, George -- George Cristian Bina XML Editor, Schema Editor and XSLT
