Tracking log4j security issues #1381
Comments
|
TDS 4.6.19 was released December 20th, 2021. It is identical to TDS 4.6.19-20211218.154246-4, other than that it is archived as an official release; it uses log4j 2.17.0 and addresses CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. You can get TDS 4.6.19 from the TDS downloads page. |
|
As of December 28th, 2021, log4j 2.17.0 is known to be vulnerable to CVE-2021-44832. We have published a TDS 4.6.20-SNAPSHOT which uses log4j 2.17.1 - this snapshot is now the recommended version of TDS 4.6.x. You can get it from the TDS downloads page. We will release TDS 4.6.20 sometime soon, but are choosing to "wait and see" how the issue evolves for the time being. |
|
@haileyajohnson we run thredds using the unidata-created docker containers. I currently see the latest as 4.6.19 here: Could we get the latest version pushed please? |
|
I'm keen to also have a v5 container. So I assume for the log4j issue I'm now waiting on 5.4 (with the same log4j updates as 4.6.20). |
|
@rsignell-usgs @gajowi jumping in a little late in the game here, but now that |
|
Thanks Julien. I'm personally happy to wait, given I'm not expecting a long
wait.
…On Thu, 6 Jan 2022, 6:02 am Julien Chastang, ***@***.***> wrote:
@rsignell-usgs <https://github.com/rsignell-usgs> @gajowi
<https://github.com/gajowi> jumping in a little late in the game here,
but now that 5.3 has been belatedly released
<Unidata/thredds-docker#258>, on the docker
side do you need SNAPSHOT releases for TDS 4 and 5? The thing is that
CVE-2021-44832 <https://nvd.nist.gov/vuln/detail/CVE-2021-44832> was a
lot less severe than the original set of log4j vulnerabilities, and I would
like to hold off until 5.4, if possible before making a Docker release.
—
Reply to this email directly, view it on GitHub
<#1381 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAUSKFMC4B737U5V7ND4ASTUUSIT3ANCNFSM5KKZYV6A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
The wait has been far longer than I anticipated. Will there be 5.4 and 4.6.20 releases soon? |
|
@gajowi We're aiming to get the new releases out next Friday (2/18), it has been a quite a wait now. Everything you've said is spot on though, these past few months have not been "the norm" for our releases, but to really stay on top of security and bug fixes, snapshots are the way to go. |
|
I see 4.6.20 but no 5.4. Is that scheduled? |
|
5.4 release date is still TBA. Getting it in shape as a stable, long-term release has turned out to be a heavier lift than expected, but it is my top priority right now. Sorry for the delays. |
Hello THREDDS users - this issue is being opened to keep users who are not subscribed to the mailing list updated on the log4j and TDS saga.
As of December 18th, 2021, the recommended releases of the TDS are snapshot releases, 5.3-SNAPSHOT and 4.6.19-20211218.154246-4. Both can be found on the TDS downloads page. These releases use log4j 2.17.0 and address CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.
The THREDDS team plans to release an official (non-snapshot) release of both TDS 5.x and 4.6.x next week, however there is no difference between a snapshot and a full release other than the process of naming and archiving the version. The snapshots available are complete and stable.
We will keep you updated here as the situation progresses.
best,
THREDDS development team
The text was updated successfully, but these errors were encountered: