CVE-2021-44228 and Jitsi components

There is no ETA at the moment, normally after meet.jit.si release we do that. Probably we will do one in the following weeks.
The latest stable is safe with all the issues. The new release will just remove log4j completely.
If you are not using callstats, a temporary workaround will be to just delete log4j binary from /usr/share and run it like that, I think that should work.

@damencho I think you mean “If you are using callstats…”, isn’t it?

No. If you AREN’T using callstats, then it’s safe to delete because it’s unused. The dependency will be gone altogether in the next stable update.

2 Likes

OK, understood, thanks, @saghul :slight_smile:

Sorry for being obtuse :flushed:

But if I am not using callstats - why do I need to remove log4j? I understood that Jitsi is only affected, if I do use callstats…

You don’t need to. Some users are using tools for scanning files on system, and even if that is not used those are being flagged …
We will push new stable today or tomorrow that completely removes the log4j.

1 Like

FYI a regression about secure domain in current stable has been reported today. I can confirm it for current unstable (6834).