[Oskari-user] Oskari-server 2.5.2 released!
Mäkinen Sami (MML)
sami.makinen at maanmittauslaitos.fi
Tue Dec 14 05:46:30 PST 2021
Hi everyone,
As you've probably heard by now there's a serious vulnerability affecting the popular logging library Log4J. The library is also used by oskari-server and we released version 2.5.2 last Friday that uses an updated version of the library where the issue has been fixed. It's heavily recommended that you update your application to use the new version or use other mitigation measures if you have not yet reacted to this. If you are already using Oskari 2.5.x you can update the server/war-file (https://oskari.org/documentation/updating) to use Oskari 2.5.2. The frontend application doesn't need to be updated in this case. A quick mitigation measure for preventing the threat on older instances is to add "-Dlog4j2.formatMsgNoLookups=true" to the parameters passed to Java on the server startup script (in /etc/default/oskari-server or /etc/sysconfig/oskari-server or similar depending on your installation).
As a heads up the 2.6.0 version is tentatively scheduled for mid-January so if you want something included, now is the time to get those pull requests sent!
Cheers,
Sami
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/oskari-user/attachments/20211214/c3c73b99/attachment.html>
More information about the Oskari-user
mailing list