Skip to content

fix: Security fixes — logging, TLS, Jackson, chromedriver log path#601

Open
bgrozev wants to merge 6 commits intojitsi:masterfrom
bgrozev:fix-logging-and-update-dependencies
Open

fix: Security fixes — logging, TLS, Jackson, chromedriver log path#601
bgrozev wants to merge 6 commits intojitsi:masterfrom
bgrozev:fix-logging-and-update-dependencies

Conversation

@bgrozev
Copy link
Copy Markdown
Member

@bgrozev bgrozev commented Apr 26, 2026
edited
Loading

Summary

  • Avoid logging full XMPP environment config (usernames/domains) at INFO in XmppApi
  • Avoid logging full legacy config object (XMPP credential objects) at INFO in JibriConfig
  • Avoid logging XMPP credentials and RTMP URL at INFO in JibriManager service start methods
  • Explicitly configure TLS certificate validation (SSLContext.getDefault()) in WebhookClient
  • Update Jackson from 2.9.5 (multiple known CVEs) to 2.19.4; replace deprecated MissingKotlinParameterException with MismatchedInputException
  • Write chromedriver log to /var/log/jitsi/jibri/ instead of world-writable /tmp

These are all best-practice, no known impact.

bgrozev added 6 commits April 26, 2026 15:31
@bgrozev
fix: Avoid logging full XMPP environment config at INFO
59c0e9b 
Full XmppEnvironmentConfig includes usernames and domains. Log only
the environment name and host.
@bgrozev
fix: Avoid logging full legacy config object at INFO
783ac0a 
JibriConfig includes XmppEnvironmentConfig entries which contain
XMPP credential objects. Log only a success confirmation.
@bgrozev
fix: Avoid logging XMPP credentials and RTMP URL at INFO
8195ff9 
Service start log lines included callLoginParams (XMPP credentials)
and rtmpUrl (may contain stream key). Log only session ID and call
params.
@bgrozev
fix: Update Jackson from 2.9.5 to 2.19.4
f7bb782 
2.9.5 has multiple known CVEs (polymorphic deserialization, etc.).
Replace deprecated MissingKotlinParameterException with
MismatchedInputException to fix -Werror compilation with 2.19.4.
@bgrozev
fix: Explicitly configure TLS certificate validation in WebhookClient
38333d6 
Set SSLContext.getDefault() on the Apache engine to make certificate
validation intentional rather than an implicit JVM default.
@bgrozev
fix: Write chromedriver log to /var/log/jitsi/jibri/ instead of /tmp
3c17751 
/tmp is world-writable and allows symlink attacks. The Jibri log
directory is owned by the jibri user and not world-writable.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@damencho damencho damencho approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bgrozev @damencho