Skip to content

LOCKSS Daemon 1.75.9
Compare
Choose a tag to compare
@thibgc thibgc released this 10 Jan 21:44
· 12905 commits to master since this release
release-candidate_1-75-b9
c6aa344

Security

  • Removed Log4j 1.x from the release package.

    While the LOCKSS 1.x daemon itself does not use either Log4j 1.x or Log4j 2.x, some of the included third-party libraries do use Log4j 1.x. It is the case that there known security vulnerabilities against Log4j 1.x (CVE-2019-17571, CVE-2021-4104). It is impractical for us to audit those third-party libraries to determine whether they are affected by these vulnerabilities, so out of an abundance of caution, we have completely removed Log4j 1.x from the release package and replaced it with Log4j 2.17.1, the most recent version of Log4j 2.x. This version is not affected by Log4Shell (CVE-2021-44228) or the severe Log4j vulnerabilities discovered subsequently (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832).

  • Bring PostgreSQL JDBC driver up to date (CVE-2020-13692).

Bug Fixes

  • Fixed a bug preventing AUs in title sets with certain Unicode characters in their name from being added.

  • Switched from Commons Collections 3 to 4 and Commons Lang 2 to 3 (with exceptions required for plugin compatibility).

  • Fixed some unclosed file errors.

Assets 3
Loading