is log4j2 leveraged in Mailman version 2.1.14-1?
Good morning and Happy Friday!
You may have seen this exploit announcement today, our IT department at the university is in triage mode:
https://www.lunasec.io/docs/blog/log4j-zero-day/#affected-apache-log4j2-vers...
Does Mailman version 2.1.14-1 utilize Java logging library log4j2 and if so, what version does it use?
These are the affected versions: Affected Apache log4j2 Versionsβ<https://www.lunasec.io/docs/blog/log4j-zero-day/#affected-apache-log4j2-versions>
2.0 <= Apache log4j <= 2.14.1
Thanks in advance for your input!
John
On Fri, Dec 10, 2021 at 2:40 PM John Lake <johnlake@uoregon.edu> wrote:
Does Mailman version 2.1.14-1 utilize Java logging library log4j2 and if so, what version does it use?
Mailman is written in python ... it doesn't use java libraries at all.
david
-- IBM i on Power Systems: For when you can't afford to be out of business!
I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
I may have diabetes, but diabetes doesn't have me!
On 12/10/2021 1:00 PM, David Gibbs via Mailman-Users wrote:
On Fri, Dec 10, 2021 at 2:40 PM John Lake <johnlake@uoregon.edu> wrote:
Does Mailman version 2.1.14-1 utilize Java logging library log4j2 and if so, what version does it use?
Mailman is written in python ... it doesn't use java libraries at all.
And if they're still running 2.1.14, they have a heap of other security holes.
Later,
z!
@David Gibbs--thanks! That was my assumption but I appreciate the feedback and confirmation. @Carl Zwanzig-- excellent point, I've inherited this older version of Mailman and its definitely on my maintenance debt list to upgrade to ver 3+. π
Thanks again,
John
-----Original Message----- From: Carl Zwanzig <cpz@tuunq.com> Sent: Friday, December 10, 2021 1:04 PM To: mailman-users@python.org Subject: [Mailman-Users] Re: is log4j2 leveraged in Mailman version 2.1.14-1?
On 12/10/2021 1:00 PM, David Gibbs via Mailman-Users wrote:
On Fri, Dec 10, 2021 at 2:40 PM John Lake <johnlake@uoregon.edu> wrote:
Does Mailman version 2.1.14-1 utilize Java logging library log4j2 and if so, what version does it use?
Mailman is written in python ... it doesn't use java libraries at all.
And if they're still running 2.1.14, they have a heap of other security holes.
Later,
z!
Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-leave@python.org https://urldefense.com/v3/__https://mail.python.org/mailman3/lists/mailman-u... Mailman FAQ: https://urldefense.com/v3/__http://wiki.list.org/x/AgA3__;!!C5qS4YX3!WOudWrc... Security Policy: https://urldefense.com/v3/__http://wiki.list.org/x/QIA9__;!!C5qS4YX3!WOudWrc... Searchable Archives: https://urldefense.com/v3/__https://www.mail-archive.com/mailman-users@pytho... https://urldefense.com/v3/__https://mail.python.org/archives/list/mailman-us...
On 12/10/2021 1:28 PM, John Lake wrote:
@Carl Zwanzig-- excellent point, I've inherited this older version of Mailman and its definitely on my maintenance debt list to upgrade to ver 3+. π You can upgrade to 2.1.current(35?) quite easily, might take an hour :D. Highly recommended.
z!
Good to know! I'll move this up to the front burner. ; )
-----Original Message----- From: Carl Zwanzig <cpz@tuunq.com> Sent: Friday, December 10, 2021 1:39 PM To: mailman-users@python.org Subject: [Mailman-Users] Re: is log4j2 leveraged in Mailman version 2.1.14-1?
On 12/10/2021 1:28 PM, John Lake wrote:
@Carl Zwanzig-- excellent point, I've inherited this older version of Mailman and its definitely on my maintenance debt list to upgrade to ver 3+. π You can upgrade to 2.1.current(35?) quite easily, might take an hour :D. Highly recommended.
z!
Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-leave@python.org https://urldefense.com/v3/__https://mail.python.org/mailman3/lists/mailman-u... Mailman FAQ: https://urldefense.com/v3/__http://wiki.list.org/x/AgA3__;!!C5qS4YX3!QL34ZLV... Security Policy: https://urldefense.com/v3/__http://wiki.list.org/x/QIA9__;!!C5qS4YX3!QL34ZLV... Searchable Archives: https://urldefense.com/v3/__https://www.mail-archive.com/mailman-users@pytho... https://urldefense.com/v3/__https://mail.python.org/archives/list/mailman-us...
On Sat, Dec 11, 2021 at 12:30 AM John Lake <johnlake@uoregon.edu> wrote:
@David Gibbs--thanks! That was my assumption but I appreciate the feedback and confirmation. @Carl Zwanzig-- excellent point, I've inherited this older version of Mailman and its definitely on my maintenance debt list to upgrade to ver 3+. π
Thanks again,
John
Series 2.1 : GNU Mailman (launchpad.net) <https://launchpad.net/mailman/2.1>
Ver 3 is such a monster you need enough preparation!
For 2.1.38 it's a simple process - unless you have some homegrown customizations.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' :-)
participants (4)
-
Carl Zwanzig
-
David Gibbs
-
John Lake
-
Odhiambo Washington