|Reported by:||Douglas R. Reno||Owned by:||Douglas R. Reno|
New major version.
Note that this is a supported LTS release until at least April 2022, with a major distribution like RedHat taking support after that.
We should update this to assist with preventing attacks with Log4j, like ones that have been described using Minecraft. I have personally confirmed this update to prevent remote code execution using the Minecraft 1.18 server and a client running 1.18.1.
Some news articles:
Since 16.0.2 is unsupported anyway, and we'd have to create new binaries, I don't really feel like it's worth the trouble to patch it at this time. Updating to 17.0.2 is the best way.
Quote from Cloudflare: "When I look back over the last 10 years, there are only two other exploits I can think of with a similar severity: Heartbleed, which allowed you to get information from servers that should have been secure, and Shellshock, which allowed you to run code on a remote machine."