Patch for log4j?

General discussions.

Moderator: moderators

Patch for log4j?

Postby merauder » Sun Dec 19, 2021 6:22 pm

I've seen some mention of the log4j exploit in other threads, however does anyone have a patch for Subsonic for it? Will the admin/dev issue a patch?

A lot of us, including myself are paying for the subscription, but there doesn't seem to be much traction on resolving this issue. I've tried pretty much everything else out there, nothing really compares to Subsonic when it comes to organizing your music.

I think this will officially become abandonware once the next cycle of subscription renewals come about, you'd think that would be enough to motivate the devs to issue a patch?
merauder
 
Posts: 2
Joined: Sun Dec 19, 2021 6:18 pm

Re: Patch for log4j?

Postby J_T_W » Sun Dec 19, 2021 7:39 pm

Subsonic is basically abandonware; it isn't open-source and there is no development by the owner. You might consider moving off to a newer implementation. Both below suggestions run on multiple platforms, I'm a Windows guy so some of my supplemental info isn't as useful to non-Windows users.

If you're looking for a very lateral move, consider Airsonic Advanced https://github.com/airsonic-advanced/airsonic-advanced - It is in active development with frequent snapshot updates https://github.com/airsonic-advanced/airsonic-advanced/releases . Same feature set as Subsonic (API, Sonos, etc.) with updated code. As it is open source, you also get all the features Subsonic Premium gives you, but for free. Minimal effort for installation (latest Java installed, then a command line shortcut to the war file - upgrades even easier with just a fast war file change).

If you're really more API focused, and looking just for a music streaming service, you might consider moving off the Subsonic family of servers altogether. Check out Navidrome https://www.navidrome.org/ . That product is primarily to supply the API with a completely new back-end, and refocuses to just support for audio (no video, podcast, internet radio, etc.). There is not yet built in support for Sonos, but you can find easy linking with something like Bonob https://github.com/simojenki/bonob. As with Airsonic Advanced, no subscription or fee to access the API. Navidrome does have a simplified web UI if desired.

Both products support running as a service with something like NSSM https://nssm.cc/ and IIS works great as a reverse proxy if you wish to run them as SSL.
J_T_W
 
Posts: 93
Joined: Fri May 03, 2013 2:13 pm

Re: Patch for log4j?

Postby merauder » Sun Dec 19, 2021 10:44 pm

I'll give Airsonic Advanced a try, thanks.
merauder
 
Posts: 2
Joined: Sun Dec 19, 2021 6:18 pm

Re: Patch for log4j?

Postby bushman4 » Mon Dec 20, 2021 1:01 pm

Subsonic is not affected by the Log4J2 "Log2Shell" vulnerability. It uses Log4j1, not Log4j2.

Glenn
Glenn Sullivan
Subsonic 6.1.6 (Unraid Docker)
90 regular Subsonic Users

Library as of 2021-09-23:
4,120 artists
16,235 albums
201,172 songs
5525.59 GB
26,799 hours
User avatar
bushman4
 
Posts: 872
Joined: Thu Dec 02, 2010 1:47 pm
Location: Massachusetts, USA

Re: Patch for log4j?

Postby RemkoM » Sat Dec 25, 2021 9:43 pm

i'm absolutely no expert in this, but isn't Log4j1 not depreciated because of other vulnerabilities back in 2015? this recent log4shell situation does make me look different at subsonic and how responsible it is to run abandoned internet facing applications.
RemkoM
 
Posts: 22
Joined: Tue Nov 20, 2012 11:11 am


Return to General

Who is online

Users browsing this forum: No registered users and 2 guests