No internet connection
  1. Home
  2. Announcements
  3. Releases

Security release: Talkyard v0.2021.38

By KajMagnus @KajMagnus2021-12-13 13:45:36.624Z2021-12-13 14:41:06.240Z

Upgrade to Talkyard v0.2021.38, if you're self hosted and have disabled automatic upgrades.

If you have auto upgrades enabled, your Talkyard site (if any), should have upgraded itself automatically last night. — Sites hosted by us have also been upgraded.

Security fixes

This version (actually, some earlier versions), fixes two security problems:

Log4j2

This new Ty version (i.e. v0.2021.38) also deals with a Log4j2 Remote Code Execution (RCE) security bug. Turns out Talkyard wasn't vulnerable — Ty uses a newer & safer version of JVM 8 — but we've upgraded Log4j2 in any case.

About the Log4j2 RCE, see: https://www.lunasec.io/docs/blog/log4j-zero-day/ and https://news.ycombinator.com/item?id=29504755.

Talkyard uses ElasticSearch, which uses Log4j2, but also wasn't vulnerable because of the Java Security Manager. However there are other related problems, so we've set -Dlog4j2.formatMsgNoLookups=true (which stops them), in ElasticSearch, in this new Ty version. See: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

  • 0 replies