[Koha] log4j
Chris Cormack
chrisc at catalyst.net.nz
Tue Dec 14 14:42:49 NZDT 2021
Hi Tasha
Koha itself doesnt, but if you are using ElasticSearch as the search
engine that does, so you will want to patch your ElasticSearch servers.
You are correct there is a mention of log4j in the shibboleth config,
but it doesn't use log4j.
"Shibboleth does not use log4j. We ship a bridge for it to slf4j but
that's not vulnerable, the bug is in log4j itself. We allow (in theory)
the IdP to be manipulated to log to log4j through the slf4j API but we
don't ship that or provide any code or examples for doing that."
https://shibboleth.net/pipermail/announce/2021-December/000253.html
Chris
On 14/12/21 2:16 pm, Bales (US), Tasha R wrote:
> Is Koha impacted by the log4j issue?
>
> https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/
>
> The Koha Wiki makes minor use of the characters "log4j" in an article about Shibboleth configuration.
>
> Apologies if this is an inappropriate email. I've been advised to either patch or turn my server off this week if there is an impact. I've found various advice suggesting to do x, y, z to see if log4j is installed, then contrary advice that suggests that x, y, z may not be adequate. I am wholly unqualified to make inferences, so thought it best to ask the "source".
>
> Thanks.
>
>
> Tasha Bales
> Enterprise Services
> http://isesi.web.boeing.com/
>
>
>
> Library Services Catalog upgrade is coming!
> For the latest news and FAQ regarding the upgrade, see Library Announcements<http://library.web.boeing.com/help/announcements.html>.
> Questions? Please contact library at boeing.com<mailto:library at boeing.com>.
>
> _______________________________________________
>
> Koha mailing list http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>
More information about the Koha
mailing list