From d2bc522e42c9a1b0b54f09dad073c441368470ad Mon Sep 17 00:00:00 2001
From: "Noah W. Smith" <noah@born-digital.com>
Date: Thu, 9 May 2024 13:58:26 -0400
Subject: [PATCH 1/7] Update Dockerfile

Clean out ancient log4j and replace with patched version
---
 blazegraph/Dockerfile | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/blazegraph/Dockerfile b/blazegraph/Dockerfile
index 467f4802..eaded13d 100644
--- a/blazegraph/Dockerfile
+++ b/blazegraph/Dockerfile
@@ -6,14 +6,32 @@ ARG BLAZEGRAPH_VERSION="CANDIDATE_2_1_5"
 ARG BLAZEGRAPH_FILE="blazegraph.war"
 ARG BLAZEGRAPH_URL="https://github.com/blazegraph/database/releases/download/BLAZEGRAPH_RELEASE_${BLAZEGRAPH_VERSION}/${BLAZEGRAPH_FILE}"
 ARG BLAZEGRAPH_SHA256="b22f1a1aa8e536443db9a57da63720813374ef59e4021cfa9ad0e98f9a420e85"
+ARG LOG4J_VERSION="2.22.0"
+ARG LOG4J_FILE="apache-log4j-${LOG4J_VERSION}-bin.zip"
+ARG LOG4J_URL="https://archive.apache.org/dist/logging/log4j/${LOG4J_VERSION}/${LOG4J_FILE}"
+ARG LOG4J_FILE_SHA256="c6d61ecf2563b1200e02587b89b7c75b58b6e62e6a16cdb6f333c2482167c2dc"
+ARG OLD_LOG4J_VERSION="2.17"
 
 # Platform agnostic does not require arch specific identifier.
 RUN --mount=type=cache,id=blazegraph-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
     download.sh \
         --url "${BLAZEGRAPH_URL}" \
         --sha256 "${BLAZEGRAPH_SHA256}" \
-        --dest "/opt/tomcat/webapps/bigdata" \
+        --dest "/opt/tomcat/webapps/bigdata" 
+
+# Remove old files & then install latest log4j-* files
+RUN --mount=type=cache,id=log4j-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
+    download.sh \
+        --url "${LOG4J_URL}" \
+        --sha256 "${LOG4J_FILE_SHA256}" \
     && \
+    ## Remove the outmoded log4j-* files that come with blazegraph
+    rm -f "/opt/tomcat/webapps/bigdata/WEB-INF/lib/log4j-1.2.17.jar" && \
+    ## Add new log4j-* files
+    unzip -o "${DOWNLOAD_CACHE_DIRECTORY}/${LOG4J_FILE}" -d "${DOWNLOAD_CACHE_DIRECTORY}" && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-1.2-api-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/bigdata/WEB-INF/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-api-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/bigdata/WEB-INF/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-core-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/bigdata/WEB-INF/lib/ && \
     cleanup.sh
 
 COPY --link rootfs /

From 113f5afaa8850baec22592560f2dc03c344a7e06 Mon Sep 17 00:00:00 2001
From: "Noah W. Smith" <noah@born-digital.com>
Date: Thu, 9 May 2024 14:32:57 -0400
Subject: [PATCH 2/7] FITS log4j cleanup

---
 fits/Dockerfile | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/fits/Dockerfile b/fits/Dockerfile
index fa9a6b1e..e10b2dde 100644
--- a/fits/Dockerfile
+++ b/fits/Dockerfile
@@ -12,6 +12,12 @@ ARG FITS_FILE="fits-${FITS_VERSION}.zip"
 ARG FITS_URL="https://github.com/harvard-lts/fits/releases/download/${FITS_VERSION}/${FITS_FILE}"
 ARG FITS_SHA256="32e436effe7251c5b067ec3f02321d5baf4944b3f0d1010fb8ec42039d9e3b73"
 
+ARG LOG4J_VERSION="2.22.0"
+ARG LOG4J_FILE="apache-log4j-${LOG4J_VERSION}-bin.zip"
+ARG LOG4J_URL="https://archive.apache.org/dist/logging/log4j/${LOG4J_VERSION}/${LOG4J_FILE}"
+ARG LOG4J_FILE_SHA256="c6d61ecf2563b1200e02587b89b7c75b58b6e62e6a16cdb6f333c2482167c2dc"
+ARG OLD_LOG4J_VERSION="2.17.1"
+
 # Platform agnostic does not require arch specific identifier.
 RUN --mount=type=cache,id=fits-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
     download.sh \
@@ -46,6 +52,24 @@ RUN --mount=type=cache,id=fits-apk-${TARGETARCH},sharing=locked,target=/var/cach
     && \
     cleanup.sh
 
+# Remove old files & then install latest log4j-* files
+RUN --mount=type=cache,id=log4j-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
+    download.sh \
+        --url "${LOG4J_URL}" \
+        --sha256 "${LOG4J_FILE_SHA256}" \
+    && \
+    ## Remove the outmoded log4j-* files that come with fits
+    rm -f /opt/fits/lib/droid/log4j-1.2.13.jar && \
+    rm -f "/opt/tomcat/webapps/fits/WEB-INF/lib/log4j-api-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/tomcat/webapps/fits/WEB-INF/lib/log4j-core-${OLD_LOG4J_VERSION}.jar" && \
+    ## Add new log4j-* files
+    unzip -o "${DOWNLOAD_CACHE_DIRECTORY}/${LOG4J_FILE}" -d "${DOWNLOAD_CACHE_DIRECTORY}" && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-1.2-api-${LOG4J_VERSION}.jar" /opt/fits/lib/droid/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-1.2-api-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/fits/WEB-INF/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-api-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/fits/WEB-INF/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-core-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/fits/WEB-INF/lib/ && \
+    cleanup.sh
+
 ENV \
     FITS_MAX_IN_MEMORY_FILE_SIZE=4 \
     FITS_MAX_OBJECTS_IN_POOL=5 \

From e013e952a3525dc2df0ab35d1ab24b2a1b0d9f19 Mon Sep 17 00:00:00 2001
From: "Noah W. Smith" <noah@born-digital.com>
Date: Thu, 9 May 2024 14:33:52 -0400
Subject: [PATCH 3/7] Blazegraph Dockerfile style guide fix

---
 blazegraph/Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/blazegraph/Dockerfile b/blazegraph/Dockerfile
index eaded13d..a67463f6 100644
--- a/blazegraph/Dockerfile
+++ b/blazegraph/Dockerfile
@@ -17,7 +17,9 @@ RUN --mount=type=cache,id=blazegraph-downloads-${TARGETARCH},sharing=locked,targ
     download.sh \
         --url "${BLAZEGRAPH_URL}" \
         --sha256 "${BLAZEGRAPH_SHA256}" \
-        --dest "/opt/tomcat/webapps/bigdata" 
+        --dest "/opt/tomcat/webapps/bigdata" \
+    && \
+    cleanup.sh
 
 # Remove old files & then install latest log4j-* files
 RUN --mount=type=cache,id=log4j-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \

From dcfafd70fcd6313ff562b3f3749a3a6ff3dde034 Mon Sep 17 00:00:00 2001
From: "Noah W. Smith" <noah@born-digital.com>
Date: Thu, 9 May 2024 14:35:45 -0400
Subject: [PATCH 4/7] Solr log4j cleanup

---
 solr/Dockerfile | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/solr/Dockerfile b/solr/Dockerfile
index 358197ba..aea3d1cd 100644
--- a/solr/Dockerfile
+++ b/solr/Dockerfile
@@ -7,6 +7,12 @@ ARG SOLR_FILE=solr-${SOLR_VERSION}.tgz
 ARG SOLR_URL=https://archive.apache.org/dist/solr/solr/${SOLR_VERSION}/solr-${SOLR_VERSION}.tgz
 ARG SOLR_FILE_SHA256=d8538502019af1945e0b124a4613b46ca43aedcf3f20e9912c482c080407ea21
 
+ARG LOG4J_VERSION="2.22.0"
+ARG LOG4J_FILE="apache-log4j-${LOG4J_VERSION}-bin.zip"
+ARG LOG4J_URL="https://archive.apache.org/dist/logging/log4j/${LOG4J_VERSION}/${LOG4J_FILE}"
+ARG LOG4J_FILE_SHA256="c6d61ecf2563b1200e02587b89b7c75b58b6e62e6a16cdb6f333c2482167c2dc"
+ARG OLD_LOG4J_VERSION="2.17.1"
+
 EXPOSE 8983
 
 WORKDIR /opt/solr
@@ -24,6 +30,42 @@ RUN --mount=type=cache,id=solr-downloads-${TARGETARCH},sharing=locked,target=/op
     && \
     cleanup.sh
 
+# Remove old files & then install latest log4j-* files
+RUN --mount=type=cache,id=log4j-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
+    download.sh \
+        --url "${LOG4J_URL}" \
+        --sha256 "${LOG4J_FILE_SHA256}" \
+    && \
+    ## Remove the outmoded log4j-* files that come with Solr
+    rm -f "/opt/solr/contrib/prometheus-exporter/lib/log4j-api-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/solr/contrib/prometheus-exporter/lib/log4j-core-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/solr/contrib/prometheus-exporter/lib/log4j-slf4j-impl-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/solr/licenses/log4j-1.2-api-${OLD_LOG4J_VERSION}.jar.sha1" && \
+    rm -f "/opt/solr/licenses/log4j-api-${OLD_LOG4J_VERSION}.jar.sha1" && \
+    rm -f "/opt/solr/licenses/log4j-core-${OLD_LOG4J_VERSION}.jar.sha1" && \
+    rm -f "/opt/solr/licenses/log4j-layout-template-json-${OLD_LOG4J_VERSION}.jar.sha1" && \
+    rm -f "/opt/solr/licenses/log4j-slf4j-impl-${OLD_LOG4J_VERSION}.jar.sha1" && \
+    rm -f "/opt/solr/licenses/log4j-web-${OLD_LOG4J_VERSION}.jar.sha1" && \
+    rm -f "/opt/solr/server/lib/ext/log4j-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/solr/server/lib/ext/log4j-1.2-api-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/solr/server/lib/ext/log4j-api-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/solr/server/lib/ext/log4j-core-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/solr/server/lib/ext/log4j-layout-template-json-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/solr/server/lib/ext/log4j-slf4j-impl-${OLD_LOG4J_VERSION}.jar" && \
+    rm -f "/opt/solr/server/lib/ext/log4j-web-${OLD_LOG4J_VERSION}.jar" && \
+    ## Add new log4j-* files
+    unzip -o "${DOWNLOAD_CACHE_DIRECTORY}/${LOG4J_FILE}" -d "${DOWNLOAD_CACHE_DIRECTORY}" && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-1.2-api-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-api-${LOG4J_VERSION}.jar" /opt/solr/contrib/prometheus-exporter/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-api-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-core-${LOG4J_VERSION}.jar" /opt/solr/contrib/prometheus-exporter/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-core-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-layout-template-json-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-slf4j-impl-${LOG4J_VERSION}.jar" /opt/solr/contrib/prometheus-exporter/lib/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-slf4j-impl-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-web-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
+    cleanup.sh
+
 RUN create-service-user.sh --name solr /data && \
     cleanup.sh
 

From 3c2aaf591f6a02e3f84c7b9740eb46d4d5496ad1 Mon Sep 17 00:00:00 2001
From: "Noah W. Smith" <noah@born-digital.com>
Date: Thu, 9 May 2024 15:57:19 -0400
Subject: [PATCH 5/7] Back out Solr changes

---
 solr/Dockerfile | 36 ------------------------------------
 1 file changed, 36 deletions(-)

diff --git a/solr/Dockerfile b/solr/Dockerfile
index aea3d1cd..ff041c44 100644
--- a/solr/Dockerfile
+++ b/solr/Dockerfile
@@ -30,42 +30,6 @@ RUN --mount=type=cache,id=solr-downloads-${TARGETARCH},sharing=locked,target=/op
     && \
     cleanup.sh
 
-# Remove old files & then install latest log4j-* files
-RUN --mount=type=cache,id=log4j-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
-    download.sh \
-        --url "${LOG4J_URL}" \
-        --sha256 "${LOG4J_FILE_SHA256}" \
-    && \
-    ## Remove the outmoded log4j-* files that come with Solr
-    rm -f "/opt/solr/contrib/prometheus-exporter/lib/log4j-api-${OLD_LOG4J_VERSION}.jar" && \
-    rm -f "/opt/solr/contrib/prometheus-exporter/lib/log4j-core-${OLD_LOG4J_VERSION}.jar" && \
-    rm -f "/opt/solr/contrib/prometheus-exporter/lib/log4j-slf4j-impl-${OLD_LOG4J_VERSION}.jar" && \
-    rm -f "/opt/solr/licenses/log4j-1.2-api-${OLD_LOG4J_VERSION}.jar.sha1" && \
-    rm -f "/opt/solr/licenses/log4j-api-${OLD_LOG4J_VERSION}.jar.sha1" && \
-    rm -f "/opt/solr/licenses/log4j-core-${OLD_LOG4J_VERSION}.jar.sha1" && \
-    rm -f "/opt/solr/licenses/log4j-layout-template-json-${OLD_LOG4J_VERSION}.jar.sha1" && \
-    rm -f "/opt/solr/licenses/log4j-slf4j-impl-${OLD_LOG4J_VERSION}.jar.sha1" && \
-    rm -f "/opt/solr/licenses/log4j-web-${OLD_LOG4J_VERSION}.jar.sha1" && \
-    rm -f "/opt/solr/server/lib/ext/log4j-${OLD_LOG4J_VERSION}.jar" && \
-    rm -f "/opt/solr/server/lib/ext/log4j-1.2-api-${OLD_LOG4J_VERSION}.jar" && \
-    rm -f "/opt/solr/server/lib/ext/log4j-api-${OLD_LOG4J_VERSION}.jar" && \
-    rm -f "/opt/solr/server/lib/ext/log4j-core-${OLD_LOG4J_VERSION}.jar" && \
-    rm -f "/opt/solr/server/lib/ext/log4j-layout-template-json-${OLD_LOG4J_VERSION}.jar" && \
-    rm -f "/opt/solr/server/lib/ext/log4j-slf4j-impl-${OLD_LOG4J_VERSION}.jar" && \
-    rm -f "/opt/solr/server/lib/ext/log4j-web-${OLD_LOG4J_VERSION}.jar" && \
-    ## Add new log4j-* files
-    unzip -o "${DOWNLOAD_CACHE_DIRECTORY}/${LOG4J_FILE}" -d "${DOWNLOAD_CACHE_DIRECTORY}" && \
-    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-1.2-api-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
-    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-api-${LOG4J_VERSION}.jar" /opt/solr/contrib/prometheus-exporter/lib/ && \
-    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-api-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
-    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-core-${LOG4J_VERSION}.jar" /opt/solr/contrib/prometheus-exporter/lib/ && \
-    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-core-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
-    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-layout-template-json-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
-    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-slf4j-impl-${LOG4J_VERSION}.jar" /opt/solr/contrib/prometheus-exporter/lib/ && \
-    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-slf4j-impl-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
-    cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-web-${LOG4J_VERSION}.jar" /opt/solr/server/lib/ext/ && \
-    cleanup.sh
-
 RUN create-service-user.sh --name solr /data && \
     cleanup.sh
 

From b6c32b4b52a376441637752b1b79db02177a7299 Mon Sep 17 00:00:00 2001
From: "Noah W. Smith" <noah@born-digital.com>
Date: Fri, 10 May 2024 12:38:39 -0400
Subject: [PATCH 6/7] Revert Solr Dockerfile to original

---
 solr/Dockerfile | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/solr/Dockerfile b/solr/Dockerfile
index ff041c44..358197ba 100644
--- a/solr/Dockerfile
+++ b/solr/Dockerfile
@@ -7,12 +7,6 @@ ARG SOLR_FILE=solr-${SOLR_VERSION}.tgz
 ARG SOLR_URL=https://archive.apache.org/dist/solr/solr/${SOLR_VERSION}/solr-${SOLR_VERSION}.tgz
 ARG SOLR_FILE_SHA256=d8538502019af1945e0b124a4613b46ca43aedcf3f20e9912c482c080407ea21
 
-ARG LOG4J_VERSION="2.22.0"
-ARG LOG4J_FILE="apache-log4j-${LOG4J_VERSION}-bin.zip"
-ARG LOG4J_URL="https://archive.apache.org/dist/logging/log4j/${LOG4J_VERSION}/${LOG4J_FILE}"
-ARG LOG4J_FILE_SHA256="c6d61ecf2563b1200e02587b89b7c75b58b6e62e6a16cdb6f333c2482167c2dc"
-ARG OLD_LOG4J_VERSION="2.17.1"
-
 EXPOSE 8983
 
 WORKDIR /opt/solr

From 809c129e182b3e1f2d34010582c2eab94bfc3f82 Mon Sep 17 00:00:00 2001
From: "Noah W. Smith" <noah@born-digital.com>
Date: Fri, 10 May 2024 12:42:05 -0400
Subject: [PATCH 7/7] rm log4j 1.2.7 in the same RUN that creates it

---
 blazegraph/Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/blazegraph/Dockerfile b/blazegraph/Dockerfile
index a67463f6..ca654693 100644
--- a/blazegraph/Dockerfile
+++ b/blazegraph/Dockerfile
@@ -19,16 +19,16 @@ RUN --mount=type=cache,id=blazegraph-downloads-${TARGETARCH},sharing=locked,targ
         --sha256 "${BLAZEGRAPH_SHA256}" \
         --dest "/opt/tomcat/webapps/bigdata" \
     && \
+    ## Remove the outmoded log4j-* files that come with blazegraph
+    rm -f "/opt/tomcat/webapps/bigdata/WEB-INF/lib/log4j-1.2.17.jar" && \
     cleanup.sh
 
-# Remove old files & then install latest log4j-* files
+# Now drop in newer log4j-* files
 RUN --mount=type=cache,id=log4j-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
     download.sh \
         --url "${LOG4J_URL}" \
         --sha256 "${LOG4J_FILE_SHA256}" \
     && \
-    ## Remove the outmoded log4j-* files that come with blazegraph
-    rm -f "/opt/tomcat/webapps/bigdata/WEB-INF/lib/log4j-1.2.17.jar" && \
     ## Add new log4j-* files
     unzip -o "${DOWNLOAD_CACHE_DIRECTORY}/${LOG4J_FILE}" -d "${DOWNLOAD_CACHE_DIRECTORY}" && \
     cp "${DOWNLOAD_CACHE_DIRECTORY}/log4j-1.2-api-${LOG4J_VERSION}.jar" /opt/tomcat/webapps/bigdata/WEB-INF/lib/ && \