Alexander,
Will you set the lower bound to force the fixed version and
to disallow the older version?
If only the installer and its product catalogs were
involved, I could fix the problem easily by adding an update
site and forcing the version range to install the fixed
version. I wouldn't even need a new version of Passage to
force/fix that...
But we're also talking about the release train repository,
which would need a respin. Unfortunately there are updates
in the SimRel repo after the 2021-12 tag:
Some of those will be needed because the https://download.eclipse.org/eclipse/updates/4.22-I-builds
repository is gone. Hopefully other projects contributed
stable repositories with unchanging released content rather
than pointing at "moving target" that has changed its
content since the release.
If we decide we need to do a respin and we accomplish that,
then EPP needs to respin as well. This will be something
the Planning Council will need to discuss and to decide
which actions to take.
Only you know how Passage uses the logging facility to know
if there is in actual fact a risk. I.e., is Passage
actually logging information obtained from an internet
connection and is that actually enabled/activated in the
RCP/RAP package itself? I.e., does what Jens Lideström
outlined apply? (Thanks Jens!) If not, then perhaps we're
unduly alarmed. I could see nothing that appears to be
related to Passage in an IDE into which I installed Passage,
i.e., no preferences, no wizards, no views, nothing obvious.
Is it perhaps the case that the security problems would
only manifest themselves in applications where Passage is
deployed at runtime for licensing control of that
application?
Please try to outline the risk factors of Passage's
development tools being installed in a IDE application to
help inform the Planning Council in making a decision.
P.S., Passage in the only component on the 2021-12 train
that is affected; I cannot comment on all
Eclipse-distributed content in general...
Regards,
Ed
On 12.12.2021 11:04, Alexander
Fedorov wrote:
Passage Team is working to provide Eclipse Passage 2.2.1
that will consume fixed logger from https://download.eclipse.org/tools/orbit/downloads/drops2/I20211211225428/repository
Ed, how could we then provide an update for released SimRel
2021-12?
Regards,
AF
P.S. I'm really surprised to have the only component
affected after having org.apache.logging.log4j
2.8.2 published in Eclipse Orbit starting from
2020-09 (6 releases).
12/12/2021 12:41 PM, Ed Merks
пишет:
Just to avoid any confusion such as that which Ed
Willink mentioned, the https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
issue is specifically about the class
org.apache.logging.log4j.core/lookup.JndiLookup.which is
not in a package provided by org.apache.log4j but
rather in a package provided by org.apache.logging.log4j
as illustrated here in a CBI p2 aggregator repo
view:
Based on the analysis tool
I've been developing for better managing SimRel, e.g.,
to provide traceability and dependency analysis, it's
definitely the case that only Passage depends on this
bundle:
Specifically via bundle
requirements (as opposed to package requirements):
The bad news is that the
RCP/RAP package contains Passage and hence the bad
version of the org.apache.logging.log4j bundle.
What's not clear is whether
Passage actually logs messages whose content can be
externally subverted/exploited via contact to the web
and whether such actions are activity is actually
enabled by default, e.g., in the RCP/RAP package...
Regards,
Ed
On 11.12.2021 20:48, Gunnar
Wagenknecht wrote:
Thanks Matthias!
According to Wayne, 2.15 has already been
vetted and is good for use:
-Gunnar
Alexander,
It would be great to
learn vulnerability clean-up
process with Eclipse Orbit team
to then apply it to Eclipse
Passage.
There is no Orbit team.
Orbit is driven by project committers
using/needing libraries in Orbit.
I encourage the Eclipse
Passage project to submit a Gerrit
review for a newer version.
considering the buzz around
this vulnerability I went ahead and pushed
an update to log4j 2.15 for orbit
note that the required
clearlydefined score isn't reached yet, if
this doesn't change soon
maybe someone can contribute
the missing information to
clearlydefined or
we file CQs to get the license
approval for the new version
You can also try a new way
as described by Mickael here:
-Gunnar
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev