Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2022-01-24 Thread Jody Garnett
We actually have a call out for sponsors and proposals on replacing the log4j1 library: http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html Please support geoserver! -- Jody Garnett On Mon, 24 Jan 2022 at 03:52, Andrea Aime wrote: > See >

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2022-01-24 Thread Andrea Aime
See http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html If you and your customers are in urgent need for this upgrade, don't hesitate to sponsor the effort. Cheers Andrea On Mon, Jan 10, 2022 at 5:32 PM Ron Lindhoudt via Geoserver-users <

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2022-01-10 Thread Stefan Ziegler
@lists.sourceforge.net; Mark Prins Subject: Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer Our customers are demanding to support the latest version of log4j in Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is EOL. On the Geoserver website I found this (13-12

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2022-01-10 Thread Ian Turton
Currently there are no plans to change the logging framework. The question is how much do you and your customers want to make this change happen? Even estimating the cost of the update is probably several days work, so until we get funding to start looking there isn't even a plan. There is a

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2022-01-10 Thread Ron Lindhoudt via Geoserver-users
Our customers are demanding to support the latest version of log4j in Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is EOL.On the Geoserver website I found this (13-12-2021): We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and are actively

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2021-12-20 Thread Mark Prins
On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote: Hello! Thank you very much for providing the geoserver.war: log4j-1.2.17.norce.jar. I have integrated into geoserver and ran a OWASP dependency check (

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2021-12-19 Thread Michael Steigemann via Geoserver-users
ns without JMSAppender >> are not impacted by this vulnerability.* >> >> https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 >> >> >> >> Regards >> Daniel >> >> >> >> *From:* Michael Steigemann via Geoserver-users [

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2021-12-16 Thread Andrea Aime
MSAppender configured. Log4j 1.x configurations without JMSAppender > are not impacted by this vulnerability.* > > https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228 > > > > Regards > Daniel > > > > *From:* Michael Steigemann via Geoserver-users [mailto: >

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2021-12-16 Thread Ron Lindhoudt via Geoserver-users
oserver-users [mailto:geoserver-users@lists.sourceforge.net] Sent: Monday, December 13, 2021 7:53 PM To: GeoServer Mailing List List Subject: [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer   Hello!   I think most of you have heard of the LOG4J vulnerability these days:  https://nvd.nist.go

Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

2021-12-16 Thread Calliess Daniel Ing .
/security.html#CVE-2021-44228 Regards Daniel From: Michael Steigemann via Geoserver-users [mailto:geoserver-users@lists.sourceforge.net] Sent: Monday, December 13, 2021 7:53 PM To: GeoServer Mailing List List Subject: [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer Hello! I think most of you