Apache has issued an advisory today (December 14): https://www.openwall.com/lists/oss-security/2021/12/14/4 https://github.com/advisories/GHSA-7rjr-3q55-vv33 The issue is fixed upstream in 2.16.0. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.16.0Whiteboard: (none) => MGA8TOO
fixed in cauldron.
CC: (none) => mageiaWhiteboard: MGA8TOO => (none)Version: Cauldron => 8
Build failed: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20211214215206.neoclust.duvel.3074815/log/log4j-2.16.0-1.mga9/build.i586.0.20211214215309.log
Version: 8 => CauldronWhiteboard: (none) => MGA8TOO
build OK now ( it was missing a BR )
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Assignee: java => qa-bugs
log4j-jcl-2.16.0-1.mga8 log4j-slf4j-2.16.0-1.mga8 log4j-2.16.0-1.mga8 from log4j-2.16.0-1.mga8.src.rpm
Status comment: Fixed upstream in 2.16.0 => (none)
Could someone briefly describe the best way to test this. Make sure Apache works before and after? Thanks
CC: (none) => wilcal.int
This has nothing to do with Apache. Check for packages that require these ones.
The Log4j 2 API provides the interface that applications should code to and provides the adapter components required for implementers to create a logging implementation. https://logging.apache.org/log4j/2.x/manual/api.html Microsoft doesn't own Log4J, so they are not responsible for patching a 3rd party library. Log4J is owned by Apache. does it affect any other applications released by Microsoft like MSSQL, SCCM or IIS etc. no Microsoft applications use Log4J Using the MCC -> Install & Remove Software -> find log4j While log4j is in there and installable it is not installed on my webserver Maybe this disaster has little to no effect on most of our users???
Again, it has nothing to do with the Apache web server. It's a Java library. Try urpmq --whatrequires log4j log4j-jcl log4j-slf4j
FWIW clear urpmi --auto log4j-jcl urpmi --auto log4j-slf4j urpmi --auto log4j installs without error system reboots back to a working desktop so just a basic install seems to be harmless
[root@localhost wilcal]# urpmq --whatrequires log4j log4j-jcl log4j-slf4j ant-apache-log4j ant-apache-log4j log4j log4j-jcl log4j-jcl log4j-jcl log4j-jcl log4j-slf4j log4j-slf4j log4j-slf4j log4j-slf4j xbean xbean
urpmi --auto ant-apache-log4j [root@localhost wilcal]# urpmi --auto ant-apache-log4j Package ant-apache-log4j-1.10.9-1.mga8.noarch is already installed also does not seem to be harmful
In VirtualBox, M8, Plasma, 64-bit Package(s) under test: xbean The following 9 packages are going to be installed: - jackson-annotations-2.11.3-1.mga8.noarch - jackson-core-2.11.3-1.mga8.noarch - jackson-databind-2.11.3-1.mga8.noarch - jakarta-activation-1.2.2-1.mga8.noarch - log4j-2.13.3-1.1.mga8.noarch - objectweb-asm-8.0.1-1.mga8.noarch - slf4j-1.7.30-8.mga8.noarch - xbean-4.15-2.mga8.noarch - xbean-javadoc-4.15-2.mga8.noarch Does no harm
Which version is right for me to test? I'm lost on this ticket.
CC: (none) => brtians1
Microsoft warns China, Iran, North Korea and Turkey are exploiting recently revealed software vulnerability https://www.cnn.com/2021/12/15/politics/microsoft-china-iran-log4j/index.html
(In reply to Brian Rockwell from comment #13) > Which version is right for me to test? I'm lost on this ticket. I'm with you Brian. I think we don't understand this enough to determine what the best plan of testing is. Certainly a subject for tomorrows QA meeting.
The version in updates_testing, 2.16.0.
In VirtualBox client, M8, Plasma, 64-bit clear urpmi --auto log4j-jcl urpmi --auto log4j-slf4j urpmi --auto log4j Package log4j-jcl-2.13.3-1.1.mga8.noarch is already installed Package log4j-slf4j-2.13.3-1.1.mga8.noarch is already installed Package log4j-2.13.3-1.1.mga8.noarch is already installed Install updates from updates testing Package log4j-jcl-2.16.0-1.mga8.noarch is already installed Package log4j-slf4j-2.16.0-1.mga8.noarch is already installed Package log4j-2.16.0-1.mga8.noarch is already installed Does not seem to cause any problems
Ubuntu has issued an advisory for this on December 15: https://ubuntu.com/security/notices/USN-5197-1
(In reply to David Walser from comment #18) > Ubuntu has issued an advisory for this on December 15: > https://ubuntu.com/security/notices/USN-5197-1 I don't see that in our repo.
(In reply to William Kenney from comment #19) > (In reply to David Walser from comment #18) > > Ubuntu has issued an advisory for this on December 15: > > https://ubuntu.com/security/notices/USN-5197-1 > > I don't see that in our repo. I have no idea what you mean by that. I'm just documenting a third-party advisory for this issue, as I usually do.
(In reply to David Walser from comment #20) > (In reply to William Kenney from comment #19) > > (In reply to David Walser from comment #18) > > > Ubuntu has issued an advisory for this on December 15: > > > https://ubuntu.com/security/notices/USN-5197-1 > > > > I don't see that in our repo. > > I have no idea what you mean by that. I'm just documenting a third-party > advisory for this issue, as I usually do. The ubuntu advisory is for liblog4j2-java (Apache log4j package) which Mageia doesn't have in our repositories. It isn't an advisory for log4j itself.
CC: (none) => davidwhodgins
That is log4j. Debian has a goofy naming scheme for their binary packages.
Debian has issued an advisory for this on December 16: https://www.debian.org/security/2021/dsa-5022
Created attachment 13055 [details] Execute Log4j from java This will not test the bug, but does call the new routines and write's to console an error message saying "Hello World". It confirms the api/core work. $ java -cp .:/usr/share/java/log4j/log4j-core.jar:/usr/share/java/log4j/log4j-api.jar log4j_t1.Test1L 16:10:29.101 [main] ERROR HelloWorld - Hello, World! If you extract folder to home and have installed the latest log4j files this should work.
oh go into bin folder first
As was discussed at the QA meeting two days ago, passing this on the basis of the two clean installs.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0566.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED