Specifically, is version 1.0.6 vulnerable? (We've got an old project that requires the use of v1.0.6.)
I installed it and looked around for Log4j jar files, but didn't find any.
Any thoughts?
Thanks
Hi @john-3pr . Arduino IDE versions 1.8.10 through 1.8.18 used Log4j
It was introduced here:
arduino:master
← mattiabertorello:add-file-cache
opened 07:03AM - 28 Jun 19 UTC
- Add the cache for the library and boards files
- Fix the delete of the files… when something fail during the signature check
- Add this configuration: `http.connection_timeout_ms` with 5000 as a default value, `cache.enable` with true as a default value
- Add logging on local file Arduino15/logs/application.log (rotation policy: compress if the log is bigger than 50MB, delete when there are more than 20 compressed log files. See app/src/log4j2.xml)
Fixed issues: https://github.com/arduino/Arduino/issues/8936, https://github.com/arduino/Arduino/issues/6333, https://github.com/arduino/Arduino/issues/7690#issuecomment-397550877
Mitigated: https://github.com/arduino/Arduino/issues/8988
The cache will consider the "Cache-Control" and the ETag headers.
So if the server delivers a file, setting a `Cache-Control="private, max-age=14400"` http header, the file will be cached for 4 hours without make any http request. When the cached file expires the download will make a HEAD request to check for ETag header changes, before making an actual download request.
Trying to emulate the browser behavior: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
The metadata of the cached files will be store in the Arduino15/cache/cache.json
example:
```
{
"files" : [ {
"eTag" : "a778ceeb5945afa31275495b8ccd5434",
"remoteURL" : "https://downloads.arduino.cc/packages/package_index.json.sig",
"localPath" : "/Users/mattiabertorello/Library/Arduino15/cache/downloads.arduino.cc/packages/package_index.json.sig",
"md5" : "MD5:a778ceeb5945afa31275495b8ccd5434",
"createdAt" : "2019-07-03T15:46:58.877",
"cacheControl" : {
"maxAge" : 14400,
"public" : false,
"private" : true,
"mustRevalidate" : false,
"noCache" : false,
"noStore" : false,
"noTransform" : false,
"proxyRevalidate" : false,
"smaxAge" : -1
},
"expires" : "2019-07-03T19:46:58.877"
}]
}
```
system
Closed
December 13, 2022, 2:21pm
4
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.