- 19 Dec, 2021 7 commits
-
-
Matthias Neugebauer authored* upstream/r/10.x: Remove logging-1.11.6 from distributions Update to Pax Logging 1.11.12 Opencast 10.8 Release Notes
-
Greg Logan authored
Pull request #3283 Opencast 10.8 Release Notes
-
Greg Logan authored
Pull request #3282 Update to Pax Logging 1.11.12
-
Matthias Neugebauer authored
* upstream/r/10.x: Fix Opencast 9.12 Release Notes Remove logging-1.11.6 from distributions Update to Pax Logging 1.11.12 update release notes to be a bit more precise Opencast 9.12 Release Notes Opencast 9.11 Release Notes Release notes and changelog for 10.7 Fixing security issue where any file readable by Opencast could be added to the mediapackage. Update to Pax Logging 1.11.11 Update to Pax Logging 1.11.11 Automatically update translation keys (r/9.x) Automatically update translation keys (r/10.x) Update Elasticsearch container image to 7.10.2 Adding logshell mitigation to debian package instructions Log4Shell Mitigation for Development Containers Fix Typo in ES Options File Switch to Java Optional Fix multiple extended metadata catalogs for series
-
Daniel Ziegenberg authored
This patch entirely removes the logging-1.11.6 bundles for log4j from Opencast's assemblies. Technically, this makes noo difference, since it wasn't used any longer anyway. Nevertheless, this could avoid confusion if people do find the old, vulnerable version of Log4J somewhere on the filesystem. Signed-off-by:Daniel Ziegenberg <daniel@ziegenberg.at>
-
Daniel Ziegenberg authored
This is a hot-patch for Apache Karaf, updating Pax Logging to version 1.11.12. The [new version contains Log4j2 2.17.0](https://github.com/ops4j/org.ops4j.pax.logging/commits/logging-1.11.12/).
-
Daniel Ziegenberg authored
-
- 18 Dec, 2021 6 commits
-
-
Lars Kiesow authored
-
Lars Kiesow authored
This patch adds some minimal fixes to the Opencast 9.12 release notes.
-
Lars Kiesow authored
This patch entirely removes the logging-1.11.6 bundles for log4j from Opencast's assemblies. Technically, this makes noo difference, since it wasn't used any longer anyway. Nevertheless, this could avoid confusion if people do find the old, vulnerable version of Log4J somewhere on the filesystem.
-
Daniel Ziegenberg authored
This is a hot-patch for Apache Karaf, updating Pax Logging to version 1.11.12. The [new version contains Log4j2 2.17.0](https://github.com/ops4j/org.ops4j.pax.logging/commits/logging-1.11.12/).
-
Daniel Ziegenberg authored
-
Daniel Ziegenberg authored
-
- 17 Dec, 2021 9 commits
-
-
Greg Logan authored
-
Lars Kiesow authored
-
Greg Logan authored
Fix Files Accessible to External Parties
-
Greg Logan authored
-
Greg Logan authored
This issue allows users who have the ability to add content and view mediapackages to add potentially sensitive files to that mediapackage. This includes all Opencast configuration files containing credentials (LMS, DB credentials), as well as any other insufficiently restricted file. Badly permissioned config files in /etc? Now attached to your MP! Filed as GHSA-59g4-hpg3-3gcp This is a backport from Opencast 10.6. Signed-off-by:Lars Kiesow <lkiesow@uos.de>
-
Greg Logan authored
Pull request #3275 Update to Pax Logging 1.11.11
-
Greg Logan authored
Pull request #3276 Update to Pax Logging 1.11.11 (9.x)
-
Lars Kiesow authored
This is a hot-patch for Apache Karaf, updating Pax Logging to version 1.11.11. The [new version contains Log4j2 2.16.0](https://github.com/ops4j/org.ops4j.pax.logging/commits/logging-1.11.11/pax-logging-api). This is a variant of pull request #3275 for Opencast 9.x.
-
Lars Kiesow authored
This is a hot-patch for Apache Karaf, updating Pax Logging to version 1.11.11. The [new version contains Log4j2 2.16.0](https://github.com/ops4j/org.ops4j.pax.logging/commits/logging-1.11.11/pax-logging-api).
-
- 16 Dec, 2021 1 commit
-
-
Lars Kiesow authored
-
- 15 Dec, 2021 5 commits
-
-
Crowdin Bot authored
-
Crowdin Bot authored
-
Matthias Neugebauer authored
Fix multiple extended metadata catalogs for series
-
Matthias Neugebauer authored
This updates the container image used in the dev compose files to 7.10.2, the latest 7.10.x release. The image is now comming from Elastic and not form Docker Hub as this only has 7.10.1.
-
Lars Kiesow authored
-
- 14 Dec, 2021 8 commits
-
-
Matthias Neugebauer authored
Log4Shell Mitigation for Development Containers
-
Greg Logan authored
Pull request #3248 Switch to Java Optional
-
Lars Kiesow authored
-
Greg Logan authored
Log4Shell mitigation instructions for Debian packages
-
Greg Logan authored
-
Lars Kiesow authored
While this is certainly not that important since they *should* only ever be available locally, this applies the mitigation for CVE-2021-44228 just in case.
-
Lars Kiesow authored
-
Lars Kiesow authored
This patch fixes a typo in the installation guide which is missing the `.options` extention from the file used for Log4Shell mitigation.
-
- 13 Dec, 2021 4 commits
-
-
Matthias Neugebauer authored
* upstream/r/10.x: Log4Shell in Elasticsearch Installation Guide Release notes and changelog for 10.6 Per discussion on the security ticket, previous exception based system can be worked around using file:///some/path?exclusion. Now we straight up blacklist file and only allow it if you turn on this flag. Release Notes for Opencast 9.10 Update CXF CVE-2021-44228 mitigation. This can be/should be removed once we've updated to pax-logging-log4j2:1.11.10 or newer. Adding exception to the exception to prevent people from using the exception to traverse the path... Fixing security issue where any file readable by Opencast could be added to the mediapackage. Using org URLs, rather than the SR's underlying hosts. Org URLs might or might not match the SR's names for them. Fixing security issue where system wide digest credentials were being inappropriately sent to unauthenticated servers.
-
Lars Kiesow authored
-
Lars Kiesow authored
This patch explains how to mitigate Log4Shell when installing Elasticsearch from the RPM repository. This is a short-term fix, before actually patching the RPMs itself.
-
Greg Logan authored
-
