diff options
| author | Zhaofeng Li <hello@zhaofeng.li> | 2021-12-17 15:55:13 -0800 |
|---|---|---|
| committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2021-12-18 12:05:06 +0000 |
| commit | 88827f479ca4138a96cec632dfdc71b68fbae840 (patch) | |
| tree | 0014ce07079c6b0e5699374386bf0a10598069dd | |
| parent | Merge pull request #151176 from NixOS/backport-150536-to-release-21.11 (diff) | |
| download | nixpkgs-88827f479ca4138a96cec632dfdc71b68fbae840.tar.gz | |
unifi5: Follow new mitigation guidelines
Simply disabling lookups isn't enough, and the JndiLookup class must be
removed:
https://web.archive.org/web/20211217085954/https://logging.apache.org/log4j/2.x/security.html
(cherry picked from commit a4bcad541efd2b1df441c70cf81f05c578c9f018)
| -rw-r--r-- | nixos/modules/services/networking/unifi.nix | 1 | ||||
| -rw-r--r-- | pkgs/servers/unifi/default.nix | 14 |
2 files changed, 9 insertions, 6 deletions
diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index 174e919f988b..53ad4df477fc 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -7,7 +7,6 @@ let @${cfg.jrePackage}/bin/java java \ ${optionalString (cfg.initialJavaHeapSize != null) "-Xms${(toString cfg.initialJavaHeapSize)}m"} \ ${optionalString (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m"} \ - ${optionalString (lib.versionOlder cfg.unifiPackage.version "6.5.54") "-Dlog4j2.formatMsgNoLookups=true"} \ -jar ${stateDir}/lib/ace.jar ''; in diff --git a/pkgs/servers/unifi/default.nix b/pkgs/servers/unifi/default.nix index b4c1d9739efd..c197ca259080 100644 --- a/pkgs/servers/unifi/default.nix +++ b/pkgs/servers/unifi/default.nix @@ -1,10 +1,9 @@ -{ lib, stdenv, dpkg, fetchurl }: +{ lib, stdenv, dpkg, fetchurl, zip }: let - generic = { version, sha256, suffix ? "" }: - stdenv.mkDerivation { + generic = { version, sha256, suffix ? "", ... } @ args: + stdenv.mkDerivation (args // { pname = "unifi-controller"; - inherit version; src = fetchurl { url = "https://dl.ubnt.com/unifi/${version}${suffix}/unifi_sysvinit_all.deb"; @@ -36,7 +35,7 @@ let platforms = platforms.unix; maintainers = with maintainers; [ erictapen globin patryk27 pennae ]; }; - }; + }); in rec { # see https://community.ui.com/releases / https://www.ui.com/download/unifi @@ -49,6 +48,11 @@ in rec { unifi5 = generic { version = "5.14.23"; sha256 = "1aar05yjm3z5a30x505w4kakbyz35i7mk7xyg0wm4ml6h94d84pv"; + + postInstall = '' + # Remove when log4j is updated to 2.12.2 or 2.16.0. + ${zip}/bin/zip -q -d $out/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class + ''; }; unifi6 = generic { |