From 9c29d8d07442e0ee9c38317793f5de9ce12bc2b5 Mon Sep 17 00:00:00 2001 From: Andrew Foltz-Morrison Date: Tue, 28 Dec 2021 10:45:44 -0500 Subject: [PATCH 1/3] Update log4j to 2.17.0 + slf4j-log4j12 to 1.7.32 This commit updates log4j to a known safe version on the 2.x branch. This is not a safety-critical upgrade for nasus; the 1.x branch of log4j contained no vulnerability to CVE CVE-2021-44228, and CVE-2021-4104 only applies to applications using log4j 1.x versions with JMSAppender enabled, so there is no evidence that nasus HTTP servers were affected by these vulnerabilities. References: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-4104 --- project.clj | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/project.clj b/project.clj index caa7292..04a7a5a 100644 --- a/project.clj +++ b/project.clj @@ -5,11 +5,12 @@ :url "https://opensource.org/licenses/MIT"} :dependencies [[org.clojure/clojure "1.10.0"] [org.clojure/tools.cli "0.4.1"] - [org.slf4j/slf4j-log4j12 "1.7.26"] - [log4j/log4j "1.2.17" :exclusions [javax.mail/mail - javax.jms/jms - com.sun.jmdk/jmxtools - com.sun.jmx/jmxri]] + [org.slf4j/slf4j-log4j12 "1.7.32"] + [org.apache.logging.log4j/log4j-core "2.17.0" + :exclusions [javax.mail/mail + javax.jms/jms + com.sun.jmdk/jmxtools + com.sun.jmx/jmxri]] [aleph "0.4.7-alpha5"] [org.apache.tika/tika-core "1.20"]] :main http.server From 7c043527aceaaef68341f051366d111d22084e66 Mon Sep 17 00:00:00 2001 From: Andrew Foltz-Morrison Date: Tue, 28 Dec 2021 11:04:56 -0500 Subject: [PATCH 2/3] Migrate dependencies to deps.edn The dependencies for nasus are now specified in a deps.edn file using the lein-tools-deps plugin instead of in project.clj. This allows projects to pull nasus in using git coordinates instead of published maven artifacts. Tested locally with lein test. References: https://github.com/RickMoynihan/lein-tools-deps --- deps.edn | 12 ++++++++++++ project.clj | 14 ++++---------- 2 files changed, 16 insertions(+), 10 deletions(-) create mode 100644 deps.edn diff --git a/deps.edn b/deps.edn new file mode 100644 index 0000000..89a42e1 --- /dev/null +++ b/deps.edn @@ -0,0 +1,12 @@ +{:deps + {org.clojure/clojure {:mvn/version "1.10.0"} + org.clojure/tools.cli {:mvn/version "0.4.1"} + org.slf4j/slf4j-log4j12 {:mvn/version "1.7.32"} + org.apache.logging.log4j/log4j-core + {:mvn/version "2.17.0" + :exclusions [javax.mail/mail + javax.jms/jms + com.sun.jmdk/jmxtools + com.sun.jmx/jmxri]} + aleph/aleph {:mvn/version "0.4.7-alpha5"} + org.apache.tika/tika-core {:mvn/version "1.20"}}} diff --git a/project.clj b/project.clj index 04a7a5a..7611272 100644 --- a/project.clj +++ b/project.clj @@ -3,17 +3,11 @@ :url "https://github.com/kachayev/nasus" :license {:name "MIT License" :url "https://opensource.org/licenses/MIT"} - :dependencies [[org.clojure/clojure "1.10.0"] - [org.clojure/tools.cli "0.4.1"] - [org.slf4j/slf4j-log4j12 "1.7.32"] - [org.apache.logging.log4j/log4j-core "2.17.0" - :exclusions [javax.mail/mail - javax.jms/jms - com.sun.jmdk/jmxtools - com.sun.jmx/jmxri]] - [aleph "0.4.7-alpha5"] - [org.apache.tika/tika-core "1.20"]] + :dependencies [] :main http.server + :plugins [[lein-tools-deps "0.4.5"]] + :middleware [lein-tools-deps.plugin/resolve-dependencies-with-deps-edn] + :lein-tools-deps/config {:config-files [:install :user :project]} :target-path "target/%s" :profiles {:uberjar {:aot :all}} :deploy-repositories [["clojars" {:sign-releases false}]]) From 4dc3b97a0c055738298facbabde797ba3212c1ba Mon Sep 17 00:00:00 2001 From: Andrew Foltz-Morrison Date: Tue, 28 Dec 2021 11:40:49 -0500 Subject: [PATCH 3/3] Update logging configuration to log4j2/slf4j2 This ensures that log4j 1.x doesn't get pulled in by an older version of the SLF4J implementation for log4j and updates the log4j.properties file to the new format required by log4j2. It also fixes a formatting issue where the use of Week Year "YYYY" vs Year "yyyy" in the timestamp config resulted in a different year than the current calendar year being printed in the logs. Tested locally with lein run; logs appear as expected. References: https://docs.oracle.com/en/java/javase/12/docs/api/java.base/java/text/SimpleDateFormat.html --- deps.edn | 2 +- resources/log4j.properties | 8 -------- resources/log4j2.properties | 13 +++++++++++++ 3 files changed, 14 insertions(+), 9 deletions(-) delete mode 100644 resources/log4j.properties create mode 100644 resources/log4j2.properties diff --git a/deps.edn b/deps.edn index 89a42e1..f9a7915 100644 --- a/deps.edn +++ b/deps.edn @@ -1,7 +1,7 @@ {:deps {org.clojure/clojure {:mvn/version "1.10.0"} org.clojure/tools.cli {:mvn/version "0.4.1"} - org.slf4j/slf4j-log4j12 {:mvn/version "1.7.32"} + org.apache.logging.log4j/log4j-slf4j-impl {:mvn/version "2.17.0"} org.apache.logging.log4j/log4j-core {:mvn/version "2.17.0" :exclusions [javax.mail/mail diff --git a/resources/log4j.properties b/resources/log4j.properties deleted file mode 100644 index eafa0f9..0000000 --- a/resources/log4j.properties +++ /dev/null @@ -1,8 +0,0 @@ -log4j.rootLogger=INFO, console - -# log to the console -log4j.appender.console=org.apache.log4j.ConsoleAppender -log4j.appender.console.Target=System.out -log4j.appender.console.layout=org.apache.log4j.PatternLayout -log4j.appender.console.layout.ConversionPattern=%d{[MM/dd/YYYY HH:mm:ss]} \u001b[1m%c{2}\u001b[0m :: %m%n - diff --git a/resources/log4j2.properties b/resources/log4j2.properties new file mode 100644 index 0000000..93152c5 --- /dev/null +++ b/resources/log4j2.properties @@ -0,0 +1,13 @@ +# log4j.rootLogger=INFO, console +rootLogger.level = INFO + +# log to the console +# log4j.appender.console=org.apache.log4j.ConsoleAppender +appender.console.type = Console +rootLogger.appenderRef.stdout.ref = STDOUT +# log4j.appender.console.Target=System.out +appender.console.name = STDOUT +# log4j.appender.console.layout=org.apache.log4j.PatternLayout +appender.console.layout.type = PatternLayout +# log4j.appender.console.layout.ConversionPattern=%d{[MM/dd/YYYY HH:mm:ss]} \u001b[1m%c{2}\u001b[0m :: %m%n +appender.console.layout.pattern = %d{[MM/dd/yyyy HH:mm:ss]} \u001b[1m%c{2}\u001b[0m :: %m%n