Closed svenmauch closed 2 years ago
mtoensing
commented
2 years ago Thanks for bringing this to my attention. Would you think that adding the JMV flag here solves this?
https://github.com/mtoensing/Docker-Minecraft-PaperMC-Server/blob/master/Dockerfile#L55
like this in 1.18:
https://github.com/mtoensing/Docker-Minecraft-PaperMC-Server/blob/1.18/Dockerfile#L52
?
Thank you again!
mtoensing
commented
2 years ago I keep it open for everyone to see
lifeModder19135
commented
2 years ago The vulnerability was patched about a week or so after discovery. You just need to bring in the patch and run docker commit or similar. I would add it to your base image via commandline and add another image layer overtop. That way no-one tries to i.e. dig up the old layer(s) and redeploy themselves... bundled with an extra layer full of spyware, etc. I doubt theyll be kind enough to change the title / author first. Hiding it should decrease chances...
mtoensing
commented
2 years ago Done
There's a pretty severe vulnerability in log4j with working exploits already showing up. I suggest adding the JVM flag
-Dlog4j2.formatMsgNoLookups=trueto all branches, especially since paper will not be fixing versions older than 1.16.5.More info: https://www.lunasec.io/docs/blog/log4j-zero-day/