Bug 29766

fixed in cauldron.

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Build failed:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20211214215206.neoclust.duvel.3074815/log/log4j-2.16.0-1.mga9/build.i586.0.20211214215309.log

Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO

build OK now ( it was missing a BR )

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: java => qa-bugs

log4j-jcl-2.16.0-1.mga8
log4j-slf4j-2.16.0-1.mga8
log4j-2.16.0-1.mga8

from log4j-2.16.0-1.mga8.src.rpm

Status comment: Fixed upstream in 2.16.0 => (none)

Could someone briefly describe the best way to test this.
Make sure Apache works before and after?
Thanks

CC: (none) => wilcal.int

This has nothing to do with Apache.  Check for packages that require these ones.

The Log4j 2 API provides the interface that applications should code to and provides the adapter components required for implementers to create a logging implementation. 
https://logging.apache.org/log4j/2.x/manual/api.html

Microsoft doesn't own Log4J, so they are not responsible for patching a 3rd party library. Log4J is owned by Apache. does it affect any other applications released by Microsoft like MSSQL, SCCM or IIS etc. no Microsoft applications use Log4J

Using the MCC -> Install & Remove Software -> find log4j
While log4j is in there and installable it is not installed on my webserver

Maybe this disaster has little to no effect on most of our users???

Again, it has nothing to do with the Apache web server.  It's a Java library.

Try urpmq --whatrequires log4j log4j-jcl log4j-slf4j

FWIW

clear
urpmi --auto log4j-jcl
urpmi --auto log4j-slf4j
urpmi --auto log4j
 

installs without error
system reboots back to a working desktop
so just a basic install seems to be harmless

[root@localhost wilcal]# urpmq --whatrequires log4j log4j-jcl log4j-slf4j
ant-apache-log4j
ant-apache-log4j
log4j
log4j-jcl
log4j-jcl
log4j-jcl
log4j-jcl
log4j-slf4j
log4j-slf4j
log4j-slf4j
log4j-slf4j
xbean
xbean

urpmi --auto ant-apache-log4j
[root@localhost wilcal]# urpmi --auto ant-apache-log4j
Package ant-apache-log4j-1.10.9-1.mga8.noarch is already installed

also does not seem to be harmful

In VirtualBox, M8, Plasma, 64-bit

Package(s) under test:
xbean

The following 9 packages are going to be installed:

- jackson-annotations-2.11.3-1.mga8.noarch
- jackson-core-2.11.3-1.mga8.noarch
- jackson-databind-2.11.3-1.mga8.noarch
- jakarta-activation-1.2.2-1.mga8.noarch
- log4j-2.13.3-1.1.mga8.noarch
- objectweb-asm-8.0.1-1.mga8.noarch
- slf4j-1.7.30-8.mga8.noarch
- xbean-4.15-2.mga8.noarch
- xbean-javadoc-4.15-2.mga8.noarch

Does no harm

Which version is right for me to test?  I'm lost on this ticket.

CC: (none) => brtians1

Microsoft warns China, Iran, North Korea and Turkey are exploiting recently revealed software vulnerability
https://www.cnn.com/2021/12/15/politics/microsoft-china-iran-log4j/index.html

(In reply to Brian Rockwell from comment #13)
> Which version is right for me to test?  I'm lost on this ticket.

I'm with you Brian. I think we don't understand this enough to determine what the best plan of testing is. Certainly a subject for tomorrows QA meeting.

The version in updates_testing, 2.16.0.

In VirtualBox client, M8, Plasma, 64-bit

clear
urpmi --auto log4j-jcl
urpmi --auto log4j-slf4j
urpmi --auto log4j
 
Package log4j-jcl-2.13.3-1.1.mga8.noarch is already installed
Package log4j-slf4j-2.13.3-1.1.mga8.noarch is already installed
Package log4j-2.13.3-1.1.mga8.noarch is already installed

Install updates from updates testing

Package log4j-jcl-2.16.0-1.mga8.noarch is already installed
Package log4j-slf4j-2.16.0-1.mga8.noarch is already installed
Package log4j-2.16.0-1.mga8.noarch is already installed

Does not seem to cause any problems

Ubuntu has issued an advisory for this on December 15:
https://ubuntu.com/security/notices/USN-5197-1

(In reply to David Walser from comment #18)
> Ubuntu has issued an advisory for this on December 15:
> https://ubuntu.com/security/notices/USN-5197-1

I don't see that in our repo.

(In reply to William Kenney from comment #19)
> (In reply to David Walser from comment #18)
> > Ubuntu has issued an advisory for this on December 15:
> > https://ubuntu.com/security/notices/USN-5197-1
> 
> I don't see that in our repo.

I have no idea what you mean by that.  I'm just documenting a third-party advisory for this issue, as I usually do.

(In reply to David Walser from comment #20)
> (In reply to William Kenney from comment #19)
> > (In reply to David Walser from comment #18)
> > > Ubuntu has issued an advisory for this on December 15:
> > > https://ubuntu.com/security/notices/USN-5197-1
> > 
> > I don't see that in our repo.
> 
> I have no idea what you mean by that.  I'm just documenting a third-party
> advisory for this issue, as I usually do.

The ubuntu advisory is for liblog4j2-java (Apache log4j package) which Mageia
doesn't have in our repositories. It isn't an advisory for log4j itself.

CC: (none) => davidwhodgins

That is log4j.  Debian has a goofy naming scheme for their binary packages.

Debian has issued an advisory for this on December 16:
https://www.debian.org/security/2021/dsa-5022

Created attachment 13055 [details]
Execute Log4j from java

This will not test the bug, but does call the new routines and write's to console an error message saying "Hello World".  It confirms the api/core work.

$ java -cp .:/usr/share/java/log4j/log4j-core.jar:/usr/share/java/log4j/log4j-api.jar log4j_t1.Test1L
16:10:29.101 [main] ERROR HelloWorld - Hello, World!

If you extract folder to home and have installed the latest log4j files this should work.

oh go into bin folder first

As was discussed at the QA meeting two days ago, passing this on the basis of the two clean installs.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0566.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED