Hello THREDDS users,
A second log4j CVE <https://nvd.nist.gov/vuln/detail/CVE-2021-45046> was
reported yesterday stating that the last patch did not fully address the
exploit. There is now a new patch, 2.16.0.
We have published snapshot releases of the TDS (TDS
4.6.19-20211215.210521-2 and TDS 5.3-SNAPSHOT) which use the latest log4j
release. The snapshots are now listed on the TDS downloads page
<https://www.unidata.ucar.edu/downloads/tds/>.This is a stop-gap solution
to immediately address the security issue, and we will put out official
releases next week.
Importantly, there is *no difference* between a snapshot and a full release
other than the process of naming and archiving the version. The snapshots
available are complete and stable. An official release is a lengthy
process, a snapshot can be made quickly to address a situation such as
this.
We appreciate your patience on this and will update you when official
releases are available (though they will not be different from the
currently available snapshot releases).
best,
THREDDS development team
--
Hailey Johnson (she/her)
Software Engineer | THREDDS Developer
Unidata | UCAR Community Programs (UCP)
