Openfire 4.5.6 is released

guus · January 5, 2022, 3:56pm

Openfire 4.5.6 has been released, that addresses an annoying issue that was affecting the earlier 4.5.5 release. We’ve updated the bundled log4j library to version 2.17.1 for good measure.

The changelog denotes the two Jira issues closed by this release. You can find Openfire build artifacts available for download here and they have the following sha256sum values

3cf7be64dec0ab0d410ec38b15fae00eecd681c72140a8ad3ccc48be52a88982  openfire-4.5.6-1.i686.rpm
16d1d487d852efd80312fa796ffbaa61dd16e7b0e6587234639e9716e82b0745  openfire-4.5.6-1.noarch.rpm
db0fa0f3b0c904f6b15bcac3b4dc60db2aed8f8275f5f6af886d0bc8dbcdaf9c  openfire-4.5.6-1.x86_64.rpm
d7f2bca0bc82ef6ad404d36dcf4c3ba65a6f9191a00873a83c6739658ce124c6  openfire_4.5.6_all.deb
c96f79db2a9e434cc08ef5989062eb352e57315a25765c2a4f1442072eadbe07  openfire_4_5_6_bundledJRE.exe
77061c8aae0a892d041b8695f38ba2fe91b2844259654bb2e55bf505b9debe27  openfire_4_5_6_bundledJRE_x64.exe
c65ccbf45a69c0babe2876a9c511910d2601ff301539e9a4c3d94dc1b82952c9  openfire_4_5_6.dmg
5990611b18b9ffff5ff46dc8bb398306fc6361893c230ee5d71ad852564dcd49  openfire_4_5_6.exe
1f155e858a924e54b172fd884ccd49521fc55d89260b2e074e2b39b4271667c4  openfire_4_5_6.tar.gz
6df1c063efd674c059323431f786e9e2a70a3c6573e1012e2b56f6db7877d28f  openfire_4_5_6_x64.exe
400269969398c6ed90322ea8d199225b0cdf87a90a840d9aa123c0b941b1cfae  openfire_4_5_6.zip

For other release announcements and news follow us on Twitter

Neustradamus · January 5, 2022, 9:44pm

Attention!!

With this version 4.5.x, it was not updated:

Bouncy Castle 1.70 / 1.65 (CVE-2020-28052) → bouncycastle.org
SLF4J 1.7.32 / 1.7.26
MINA 2.1.5 / 2.1.3 (CVE-2021-41973) → MINA Home — Apache MINA

And 4.6.x has not too:

Bouncy Castle 1.70 / 1.68
SLF4J 1.7.32 / 1.7.30
MINA 2.1.5 / 2.1.3 (CVE-2021-41973) → MINA Home — Apache MINA

guus · January 6, 2022, 2:06pm

@Neustradamus, please stop crying wolf. You are needlessly alarming people. I have explained to you multiple times why we choose to not update certain libraries at this point.

Certain CVEs, even if they’re reported for the library, do not apply to Openfire (since it’s not using that specific functionality from the library), or have a vulnerability that is of low risk as compared to functional bugs known to exist in these older versions of Openfire.

Updating such a library in Openfire would introduce a risk (of changing/broken behavior), without much benefit. For these libraries, we explicitly choose to not update them in Openfire in these releases. We might include them in future releases, but only if we feel that the benefits outweigh the risks.