[Security] Update to safe version

Torridity / dsworkbench

The planning tool for the browser game 'Die Staemme'

Apache License 2.0

16 stars 14 forks source link

[Security] Update to safe version #86

Open intrigus opened 2 years ago

intrigus commented 2 years ago

This removes any potential for exploitation of CVE-2021-44228.

extremeCrazyCoder commented 2 years ago

Where did you get the 2.15.1 version from? I can't build that stuff now

The maven repository seems to only have 2.15.0 and 2.16.0 (sse https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/ )

EDIT: For my fork I simply went up to 2.16.0 see 892d0b9b4e3ae3a8e766be3002b3abfc04b1570e

EDIT2: I don't know how easy it is to exploit that using Workbench, but at least for the debugging mode this is quite easy since the whole clipboard content is beeing logged

intrigus commented 2 years ago

https://logging.apache.org/log4j/2.x/ says that

Log4j 2.15.1 has been released solely to disable access to JNDI by default. The CVE noted below was fixed in the 2.15.0 release. 2.15.1 is NOT a required upgrade but users may choose to use it to have confidence that JNDI will not be abused.

I just now realized that this has not yet been released... But I hope that the release will happen soon. Otherwise I'll bump this to 2.16.0

extremeCrazyCoder commented 2 years ago

Interesting thanks Seems dependabot also means we should use 2.16.0