See tracker for details on the log4j vulnerability. 6.5.54 changelog indicates this fixes it: "Fix a security vulnerability found in a 3rd party library (CVE-2021-44228)." So, please stabilize 6.5.54.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8db10440588b1d373c0adf509cbd67a28f5a4e4a commit 8db10440588b1d373c0adf509cbd67a28f5a4e4a Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-12-10 23:37:53 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-12-10 23:38:09 +0000 net-wireless/unifi: drop 6.4.54-r1, 6.5.51, 6.5.53 Bug: https://bugs.gentoo.org/828853 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-wireless/unifi/Manifest | 3 - net-wireless/unifi/unifi-6.4.54-r1.ebuild | 91 ------------------------------- net-wireless/unifi/unifi-6.5.51.ebuild | 91 ------------------------------- net-wireless/unifi/unifi-6.5.53.ebuild | 86 ----------------------------- 4 files changed, 271 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=80d9051c8c18b74be32881251a35d40e609bd9c6 commit 80d9051c8c18b74be32881251a35d40e609bd9c6 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-12-10 23:37:06 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-12-10 23:37:06 +0000 net-wireless/unifi: amd64 stable Bug: https://bugs.gentoo.org/828853 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-wireless/unifi/unifi-6.5.54-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Thank you!
This version no longer seems to be available upstream: >>> Downloading 'https://dl.ui.com/unifi/6.5.54/UniFi.unix.zip' --2021-12-11 10:39:11-- https://dl.ui.com/unifi/6.5.54/UniFi.unix.zip Resolving dl.ui.com... 52.222.141.169 Connecting to dl.ui.com|52.222.141.169|:443... connected. HTTP request sent, awaiting response... 404 Not Found
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=808290b39d84e22f9f6ca185527f31e5f77265eb commit 808290b39d84e22f9f6ca185527f31e5f77265eb Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-12-11 13:01:46 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-12-11 13:01:46 +0000 net-wireless/unifi: update SRC_URI Bug:https://bugs.gentoo.org/828853 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-wireless/unifi/unifi-6.5.54-r1.ebuild | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8324feb1a645a78e4b1d2b96bd02d21a87a06819 commit 8324feb1a645a78e4b1d2b96bd02d21a87a06819 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-12-16 09:58:07 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-12-16 09:59:08 +0000 net-wireless/unifi: add 6.5.55 This releases fixes CVE-2021-45046. Bug: https://bugs.gentoo.org/828853 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-wireless/unifi/Manifest | 1 + net-wireless/unifi/unifi-6.5.55.ebuild | 89 ++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cef2a8d644d8e4f2f8c82e1b8c033ddc04e9421 commit 4cef2a8d644d8e4f2f8c82e1b8c033ddc04e9421 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2021-12-16 10:01:02 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2021-12-16 10:01:17 +0000 net-wireless/unifi: drop 6.5.54-r1 Bug: https://bugs.gentoo.org/828853 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-wireless/unifi/Manifest | 1 - net-wireless/unifi/unifi-6.5.54-r1.ebuild | 89 ------------------------------- 2 files changed, 90 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=029d6f6ccf6152d3ccbd69d61b33fbd0ae7bd562 commit 029d6f6ccf6152d3ccbd69d61b33fbd0ae7bd562 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2022-02-09 12:28:43 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-02-09 12:29:27 +0000 net-wireless/unifi: add 7.0.21 Bug: https://bugs.gentoo.org/828853 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-wireless/unifi/Manifest | 1 + net-wireless/unifi/unifi-7.0.21.ebuild | 89 ++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+)
Just for reference: 7.0.21 includes log4j 2.17.
(In reply to Conrad Kostecki from comment #8) > Just for reference: 7.0.21 includes log4j 2.17. Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.[1] [1]https://logging.apache.org/log4j/2.x/#Details
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9f1c7e1afafc090d1c9f5074a8f34ce83f4bf4af commit 9f1c7e1afafc090d1c9f5074a8f34ce83f4bf4af Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-26 04:47:43 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-26 04:48:14 +0000 [ GLSA 202310-16 ] Ubiquiti UniFi: remote code execution via bundled log4j Bug: https://bugs.gentoo.org/828853 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-16.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)