-
-
Notifications
You must be signed in to change notification settings - Fork 389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Pax Logging 2.0.13 #1354
Use Pax Logging 2.0.13 #1354
Conversation
Pax Logging 2.0.13 uses log4j2 2.17 which fixes CVE-2021-45105. Also-by: Łukasz Dywicki <[email protected]> Signed-off-by: Wouter Born <[email protected]>
@wborn This now results for me in these errors at startup:
|
The file
still lists
so the |
I don't see this exception and it uses the updated bundles:
|
I actually have quite some other hits:
Can you confirm that all these already reference 2.0.13 in your case, @wborn? |
These still also reference 2.0.12 for me but I don't see any exceptions. We could remove the exclude again so the JAR is still there for the scripts that really depend on it: |
I don't think the exceptions come from the script, but rather from the |
I'm fine with reverting it, better safe than sorry. 😉 |
Isn't the |
Perhaps it works better when this line is uncommented: Line 99 in cd3302f
|
Changing this manually on my install does not make a difference. |
A fresh install indeed works as expected.
while the new one now contains instead:
|
Yes that's also what it looks like for me all the time. I did a clean install. 😉 We could add it to https://github.com/openhab/openhab-distro/blob/main/distributions/openhab/src/main/resources/bin/userdata_sysfiles.lst so it is overwritten and add also add the scripts that have it in their classpath to the repo. |
Yeah, I thought the same: #1355 |
But it could also be that I don't run into these download issues because I run it on my desktop and it contains pax-logging 2.0.12 in the local Maven repo 😐 |
Wrt |
If we don't use them I also think they can be ignored. The runtime starts without issues and the It still seems to work fine if I remove the pax-logging artifacts from my local Maven repo. |
Sorry gents, missed your concerns.
@kaikreuzer feature processing can work at runtime but then you need properly configured maven repos to pull replacement bundle.
These scripts are not usable with OH cause of directory layout anyways, so you can ignore them. |
Latest distro build looks fine now, even for an update! |
This pull request has been mentioned on openHAB Community. There might be relevant details there: https://community.openhab.org/t/openhab-3-2-release-discussion/130327/8 |
This pull request has been mentioned on openHAB Community. There might be relevant details there: https://community.openhab.org/t/openhab-3-2-release-discussion/130327/9 |
This pull request has been mentioned on openHAB Community. There might be relevant details there: https://community.openhab.org/t/issues-with-running-openhab-3-2-docker-image/130368/3 |
* Syncs distro customizations with Karaf 4.3.6 * Resolves app runbundles for the new dependencies * Undos the featuresProcessing for using Pax Logging 2.0.13 (openhab#1354) For release notes, see: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12351123 Karaf 4.3.6 uses Pax Logging 2.0.14 (with Log4j 2.17.1) which fixes CVE-2021-44832. Signed-off-by: Wouter Born <[email protected]>
* Syncs distro customizations with Karaf 4.3.6 * Resolves app runbundles for the new dependencies * Undos the featuresProcessing for using Pax Logging 2.0.13 (#1354) For release notes, see: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12351123 Karaf 4.3.6 uses Pax Logging 2.0.14 (with Log4j 2.17.1) which fixes CVE-2021-44832. Signed-off-by: Wouter Born <[email protected]>
This pull request has been mentioned on openHAB Community. There might be relevant details there: https://community.openhab.org/t/failing-dsc-binding-installation/139749/3 |
Pax Logging 2.0.13 uses log4j2 2.17 which fixes CVE-2021-45105.
Also-by: Łukasz Dywicki [email protected]
Signed-off-by: Wouter Born [email protected]