Significant security vulnerability discovered in Log4j

2021-12-10 Thread Jason Liu
In case everyone hadn't heard the news. If anyone is running Log4j for logging on any of your web servers, you might want to read this. WIRED: 'The Internet Is On Fire' A vulnerability in the Log4j logging framework has security teams scra

Re: Significant security vulnerability discovered in Log4j

2021-12-11 Thread Eric Gallager via macports-dev
On Fri, Dec 10, 2021 at 6:00 PM Jason Liu wrote: > > In case everyone hadn't heard the news. If anyone is running Log4j for > logging on any of your web servers, you might want to read this. > > WIRED: 'The Internet Is On Fire' > A vulnerability in the Log4j logging framework has security teams s

Re: Significant security vulnerability discovered in Log4j

2021-12-11 Thread Jason Liu
On Sat, Dec 11, 2021 at 1:32 PM Eric Gallager wrote: > > so... is there anything to do about this in MacPorts? > There's probably nothing that can be done in terms of the MacPorts packages. It's basically dependent on upstream developers to patch anything that might be affected. It was more of a

Re: Significant security vulnerability discovered in Log4j

2021-12-12 Thread Nils Breunese
Eric Gallager wrote: > On Fri, Dec 10, 2021 at 6:00 PM Jason Liu wrote: >> >> In case everyone hadn't heard the news. If anyone is running Log4j for >> logging on any of your web servers, you might want to read this. >> >> WIRED: 'The Internet Is On Fire' >> A vulnerability in the Log4j loggi

Re: Significant security vulnerability discovered in Log4j

2021-12-12 Thread Joshua Root
On 2021-12-12 20:02 , Nils Breunese wrote: It could be the case the MacPorts has ports for Java-based applications that include a vulnerable version of the Log4J library. A port that includes a file called log4j-$version.jar with $version in the range 2.0.0-2.14.1 could be vulnerable. This fil

Re: Significant security vulnerability discovered in Log4j

2021-12-12 Thread Nils Breunese
Joshua Root wrote: > On 2021-12-12 20:02 , Nils Breunese wrote: >> It could be the case the MacPorts has ports for Java-based applications that >> include a vulnerable version of the Log4J library. A port that includes a >> file called log4j-$version.jar with $version in the range 2.0.0-2.14.1

Re: Significant security vulnerability discovered in Log4j

2021-12-12 Thread Nils Breunese
Nils Breunese wrote: > For versions of Log4J 2.x older than these properties are not read yet. (…) I meant to write: For versions of Log4J 2.x older than *2.10* these properties are not read yet, so you can’t use the properties to mitigate the vulnerability if you’re using Log4J < 2.10. Nils.

Re: Significant security vulnerability discovered in Log4j

2021-12-12 Thread Steven Smith
Please see: https://github.com/macports/macports-ports/pull/13322 > On Dec 12, 2021, at 7:36 AM, Nils Breunese wrote: > > https://github.com/apache/solr/pull/454#issuecomment-991066278 > says: "Just > open your solr.in.sh in your

Re: Significant security vulnerability discovered in Log4j

2021-12-12 Thread Nils Breunese
Eric Gallager wrote: > On Sun, Dec 12, 2021 at 4:57 AM Joshua Root wrote: >> >> On 2021-12-12 20:02 , Nils Breunese wrote: >>> It could be the case the MacPorts has ports for Java-based applications >>> that include a vulnerable version of the Log4J library. A port that >>> includes a file ca

Re: Significant security vulnerability discovered in Log4j

2021-12-12 Thread Nils Breunese
Nils Breunese wrote: > Eric Gallager wrote: > >> On Sun, Dec 12, 2021 at 4:57 AM Joshua Root wrote: >>> >>> On 2021-12-12 20:02 , Nils Breunese wrote: It could be the case the MacPorts has ports for Java-based applications that include a vulnerable version of the Log4J library. A p

Re: Significant security vulnerability discovered in Log4j

2021-12-12 Thread Eric Gallager via macports-dev
On Sun, Dec 12, 2021 at 3:53 PM Nils Breunese wrote: > > Nils Breunese wrote: > > > Eric Gallager wrote: > > > >> On Sun, Dec 12, 2021 at 4:57 AM Joshua Root wrote: > >>> > >>> On 2021-12-12 20:02 , Nils Breunese wrote: > It could be the case the MacPorts has ports for Java-based applicati

Re: Significant security vulnerability discovered in Log4j

2021-12-12 Thread Steven Smith
Please see https://github.com/macports/macports-ports/pull/13331 > On Dec 12, 2021, at 7:36 AM, Nils Breunese wrote: > > 2. elasticsearch 7.15.2_0 includes log4j-core-2.11.1.jar, which is a > vulnerable version of Log4J 2.x > > https://github.com/elastic/elasticsearch/issues/81618 >

Re: Significant security vulnerability discovered in Log4j

2021-12-13 Thread Arjun Salyan
> On 12-Dec-2021, at 3:27 PM, Joshua Root wrote: > > Not all ports have installed file information available, but the web app can > search the ones that do: > > I identified an issue with the way we were updating our search index.

Re: Significant security vulnerability discovered in Log4j

2021-12-14 Thread Nils Breunese
Arjun Salyan wrote:: >> On 12-Dec-2021, at 3:27 PM, Joshua Root wrote: >> >> Not all ports have installed file information available, but the web app can >> search the ones that do: >> >> > > I identified an issue with the way we w

Re: Significant security vulnerability discovered in Log4j

2021-12-14 Thread Steven Smith
Thank you for posting! Please see https://github.com/macports/macports-ports/pull/13353 . > On Dec 14, 2021, at 6:47 PM, Nils Breunese wrote: > > A couple of hours ago > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 >

Re: Significant security vulnerability discovered in Log4j

2021-12-14 Thread Steven Smith
Also please see https://github.com/macports/macports-ports/pull/13361 > On Dec 14, 2021, at 6:47 PM, Nils Breunese wrote: > > A couple of hours ago > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 >