logj4 Mitigation necessary? In the pipeline?

Serviio seems to use an older version of log4j. What is the plan to mitigate the ongoing attack vector in the log4j product?

[atc98092]

Serviio uses BItbucket for tracking bugs and enhancements. I suggest posting this information there, so the developer can track and provide feedback for the issue. I searched for any entries for log4j and found none.

https://bitbucket.org/xnejp03/serviio/issues

[zip]

Just released 2.2.1 which has the latest (fixed) version of log4j

Just released 2.2.1 which has the latest (fixed) version of log4j

2.2.1 appears to contain log4j 2.15.0 and regrettably that was an incomplete fix, so Apache has now released log4j 2.16.0 (hopefully the last for a while!).

Edit: Ugh ... Apache has released log4j 2.17.0 (2.16.0 still vulnerable to DoS).

Edit: ... and Apache has released log4j 2.17.1 (2.17.0 still vulnerable to RCE via a different attack)

Is an updated version of serviio in the pipeline?

same, please release a new version with log4j 2.17.1

+1 on the topic!
It's been a while since the log4j issue has been found and fixed, it would be great to have a serviio with a fixed version of it!

[atc98092]

Last I was advised by Zip, the next version of Serviio should reach beta testing sometime this summer. I have no clue what is in the next version, but I would expect he will ensure log4j is addressed.