On 12/15/21 11:53 AM, Scott Derrick wrote:
I find these files in my solr install
./server/lib/ext/log4j-core-2.11.0.jar
./server/lib/ext/log4j-1.2-api-2.11.0.jar
./server/lib/ext/log4j-api-2.11.0.jar
./server/lib/ext/log4j-slf4j-impl-2.11.0.jar
./contrib/prometheus-exporter/lib/log4j-core-2.11.0
That should be sufficient based on our current understanding of the
situation, yes.
On Wed, Dec 15, 2021 at 12:53 PM Scott Derrick wrote:
> I find these files in my solr install
>
> ./server/lib/ext/log4j-core-2.11.0.jar
> ./server/lib/ext/log4j-1.2-api-2.11.0.jar
> ./server/lib/ext/log4j-api-2.
That is fixed in log4j 2.16.0, included in Solr 8.11.1.
wunder
Walter Underwood
wun...@wunderwood.org
http://observer.wunderwood.org/ (my blog)
> On Dec 15, 2021, at 4:40 AM, e_bri...@videotron.ca wrote:
>
> Hi all,
>
> Looks like we are not done with log4j security problems. Someone has
> re
Keep in mind that you can have more than one log4j-core-*.jar to patch.
In my case:
/opt/solr-8.4.0/server/lib/ext/log4j-core-2.11.2.jar
/opt/solr-8.4.0/contrib/prometheus-exporter/lib/log4j-core-2.11.2.jar
Thomas
Op wo 15 dec. 2021 om 13:52 schreef Bernd Fehling <
bernd.fehl...@uni-bielefeld.de
>
> Is there already an Idea when 8.11.1 is supposed to be released ?
This was discussed yesterday. Check the archives for the full explanation.
Short version: can’t give a definite date but it will be no sooner than a week
from now.
We just upgraded to log4j2-2.16. It disables jndi lookups altogether by
default.
-Rahul
On Wed, Dec 15, 2021 at 7:40 AM wrote:
> Hi all,
>
> Looks like we are not done with log4j security problems. Someone has
> recommendations about CVE-2021-45046?
>
> Eric Briere
>
Isn't the example with "zip -q -d ..." as reported in the CVE not working for
you?
Regards
Bernd
Am 15.12.21 um 13:40 schrieb e_bri...@videotron.ca:
Hi all,
Looks like we are not done with log4j security problems. Someone has
recommendations about CVE-2021-45046?
Eric Briere
