Serviio

Posted: **Mon Dec 13, 2021 1:07 am**

Serviio seems to use an older version of log4j. What is the plan to mitigate the ongoing attack vector in the log4j product?

Posted: **Mon Dec 13, 2021 1:22 am**

Serviio uses BItbucket for tracking bugs and enhancements. I suggest posting this information there, so the developer can track and provide feedback for the issue. I searched for any entries for log4j and found none.

https://bitbucket.org/xnejp03/serviio/issues

Posted: **Mon Dec 13, 2021 5:46 pm**

Just released 2.2.1 which has the latest (fixed) version of log4j

Posted: **Fri Dec 17, 2021 9:26 am**

zip wrote:Just released 2.2.1 which has the latest (fixed) version of log4j

2.2.1 appears to contain log4j 2.15.0 and regrettably that was an incomplete fix, so Apache has now released log4j 2.16.0 (hopefully the last for a while!).

Edit: Ugh ... Apache has released log4j 2.17.0 (2.16.0 still vulnerable to DoS).

Edit: ... and Apache has released log4j 2.17.1 (2.17.0 still vulnerable to RCE via a different attack)

Is an updated version of serviio in the pipeline?

Posted: **Sun Jan 09, 2022 2:39 pm**

same, please release a new version with log4j 2.17.1

Posted: **Wed Jun 08, 2022 3:22 pm**

+1 on the topic!
It's been a while since the log4j issue has been found and fixed, it would be great to have a serviio with a fixed version of it!

Posted: **Wed Jun 08, 2022 6:09 pm**

Last I was advised by Zip, the next version of Serviio should reach beta testing sometime this summer. I have no clue what is in the next version, but I would expect he will ensure log4j is addressed.

Serviio

logj4 Mitigation necessary? In the pipeline?

logj4 Mitigation necessary? In the pipeline?

Re: logj4 Mitigation necessary? In the pipeline?

Re: logj4 Mitigation necessary? In the pipeline?

Re: logj4 Mitigation necessary? In the pipeline?

Re: logj4 Mitigation necessary? In the pipeline?

Re: logj4 Mitigation necessary? In the pipeline?

Re: logj4 Mitigation necessary? In the pipeline?