[security] mitigate log4j CVE-2021-44228

eXist-db · Dec 13, 2021 · 7cfe835 · 7cfe835
1 parent de3730a
commit 7cfe835
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 This is an Ansible role to install and configure eXist DB
 (http://exist-db.org/).
 
-The current version is 1.0 (Aug 15 2021). This release supports
+The current version is 1.1 (Dec 13 2021). This release supports
 **eXist-db 5.x** and **multiple eXist-db instances** on a single host.
 For a list of changes since the public beta release, please see
 RELEASE_NOTES.md.

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,6 +1,16 @@
-# Current Version
+# Version 1.1 (Dec 13 2021)
 
-Version 1.0 (Aug 15 2021)
+This is a security release addressing the log4j vulnerability.
+
+## Security
+
+* Mitigate log4j CVE-2021-44228 by passing `-Dlog4j2.formatMsgNoLookups=true`
+
+## Fixes and Improvements
+
+* add missing `unzip` dependency (thanks @gabicavalcante)
+
+# Version 1.0 (Aug 15 2021)
 
 This version has been applied to various eXist-db instances that are actively
 in production, including more complex setups that use production/staging/dev
@@ -44,8 +54,6 @@ environments or data replication for high availability.
 * recommended role invocation has changed to `include_role`, see "Example Playbook" in README.md
 * some config variables have been removed or renamed, please refer to `defaults/main.yml` or README.md
 
-# Old Versions
-
-## Unversioned Beta-Release (Nov 1 2018)
+# Unversioned Beta-Release (Nov 1 2018)
 
 Initial public beta release.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.0
+1.1
diff --git a/templates/exist.java.options.j2 b/templates/exist.java.options.j2
@@ -94,3 +94,6 @@
 
 # tmp dir
 -Djava.io.tmpdir={{ exist_home }}/tmp
+
+# SECURITY: log4j CVE-2021-44228 - do not allow log msg formatting
+-Dlog4j2.formatMsgNoLookups=true