| Re: [lyo-dev] [ANN] Apache Jena 4.3.1 |
|
Hello Jad, Yes, it does. Though we need to get
https://github.com/eclipse/lyo/pull/212 to pass the build before we can actually switch to the new version of Jena. /Andrew From:
lyo-dev <lyo-dev-bounces@xxxxxxxxxxx> on behalf of Jad El-Khoury <jad@xxxxxx> Thank you Andrew for the update. Will this apply for code produced with LyoDesigner? From: lyo-dev <lyo-dev-bounces@xxxxxxxxxxx> on behalf of Andrii Berezovskyi <andriib@xxxxxx> Hello, FYI, this is the Jena release with a log4j fix. Also, here is an earlier message from Andy regarding the vulnerability scope: Jena ships log4j2 in Fuseki and the command line tools. The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x. Remote execution is only possible with older versions of Java. Java versions Java 8u121 and Java 11.0.1, and later, set "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false" protecting against remote code execution by default. The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works with all affected Fuseki versions: JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server .... Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE https://nvd.nist.gov/vuln/detail/CVE-2021-39239
*** To my best knowledge, Lyo 4.x should not be vulnerable both because we only rely on Jena libs and not Fuseki or CLI tools and because we exclude log4j already from our builds:
https://github.com/eclipse/lyo/blob/master/pom.xml#L259 Lyo is ready to switch to newest Jena model once
https://github.com/eclipse/lyo/pull/222 is merged and to finally address the CVE-2021-39239. A friendly reminder to fill out the Lyo dev survey:
https://docs.google.com/forms/d/e/1FAIpQLScpuLEoIXpCGnVsLVVwaJq5-5BzTIlZ4uiS77uNDjOFJ3i4Mg/viewform?usp=sf_link The responses we got till now indicate there are no Lyo users who cannot upgrade to JDK 11. /Andrew On 2021-12-13, 18:31, "Andy Seaborne" <andy@xxxxxxxxxx> wrote: The Apache Jena development community is pleased to announce the release of Apache Jena 4.3.1. This release updates the version of log4j2 used in Fuseki. Fuseki users should upgrade as soon as possible. Uses of Jena libraries should to check their application logging
dependences and update as necessary. == Changes JENA-2211: Upgrade to Log4j2 2.15.0 JENA-2209, JENA-2210: xloader improvements JENA-2207: Fix for SERVICE == Obtaining Apache Jena 4.3.1 * Via central.maven.org The main jars and their dependencies can used with: <dependency> <groupId>org.apache.jena</groupId> <artifactId>apache-jena-libs</artifactId> <type>pom</type> <version>4.3.1</version> </dependency> Full details of all maven artifacts are described at: http://jena.apache.org/download/maven.html * As binary downloads Apache Jena libraries are available as a binary distribution of libraries. For details of a global mirror copy of Jena binaries please see: http://jena.apache.org/download/ * Source code for the release The signed source code of this release is available at: http://www.apache.org/dist/jena/source/ and the signed master source for all Apache Jena releases is available at: http://archive.apache.org/dist/jena/ == Contributing If you would like to help out, a good place to look is the list of unresolved JIRA at: http://s.apache.org/jena-jira-current or review pull requests at https://github.com/apache/jena/pulls or drop into the dev@ list. We use github pull requests and other ways for accepting code: https://github.com/apache/jena/blob/master/CONTRIBUTING.md |