Minecraft Forge 1.16.4-35.1.32, with an *ACTUALLY* secure version of Log4j.
Go to file
~keith fffcd7f2bb
Reject unpatched clients on patched server & warn about unpatched servers
2022-01-20 20:24:44 +00:00
.github Fixed EntityJoinWorldEvent not being fired when player is added to ServerWorld. #5827 2019-07-08 18:42:12 -07:00
buildSrc Added Basic Class-Level SAS Capability to checkSAS, added Vector4f to SAS (#7385) 2020-10-08 14:02:48 -07:00
docs Fix doc README and answer lex's question 2020-10-04 15:50:58 -04:00
gradle/wrapper Update gradle wrapper 2020-03-15 13:55:03 -07:00
mdk Quiet down errors related to modders not changing their update urls from the default. 2020-12-26 11:39:14 -08:00
patches/minecraft Make UnboundedMapCodec more lenient in decoding dimensions. Fixes MC-197860 (#7527) 2021-01-05 19:17:24 -08:00
src Reject unpatched clients on patched server & warn about unpatched servers 2022-01-20 20:24:44 +00:00
.gitattributes Add --flat argument to data generators to not create data in mod specific directores. 2020-06-03 16:57:07 -07:00
.gitignore Fix build script & use Log4j 2.17.1 as per CVE-2021-44228 and CVE-2021-44832 2022-01-17 20:50:10 +00:00
CREDITS.txt Fix new launcher jar packaging. 2018-12-31 16:48:23 -08:00
Jenkinsfile Update jenkinsfile and gradle for new versions of things.. 2020-04-25 17:54:50 -04:00
LICENSE-header.txt Update copyright year to 2020. 2020-07-02 19:49:11 +02:00
LICENSE.txt Its 2019. Update licence headers to match. 2019-02-10 17:57:03 -05:00
README.md Add README.md 2022-01-18 00:09:42 +00:00
build.gradle Fix build script & use Log4j 2.17.1 as per CVE-2021-44228 and CVE-2021-44832 2022-01-17 20:50:10 +00:00
gradle.properties Fix build script & use Log4j 2.17.1 as per CVE-2021-44228 and CVE-2021-44832 2022-01-17 20:50:10 +00:00
gradlew Zeroth pass on 1.13 2018-09-05 12:56:01 -07:00
gradlew.bat Revert defualt jvm args. 2020-04-15 10:09:49 -07:00
icon.ico Update assets to new Forge brand (#3464) 2016-11-30 14:56:31 -08:00
installer_logo.png 1.15.2 Initial Update 2020-01-22 13:44:03 -08:00
l4jManifest.xml Added FG2 buildscript + updated for Gradle 2.4 2015-06-29 21:56:35 -05:00
settings.gradle Zeroth pass on 1.13 2018-09-05 12:56:01 -07:00



This is a modified version of Minecraft Forge 1.16.4-25.1.32, with its Log4j version updated to 2.17.1.

The Backstory

A bit over a week ago, I decided to attempt to make a properly patched modification of the Forge version I was using prior to the Log4j bug being duscivered. It should have been as simple as modifying the version numbers specified in the Gradle build script, and rewriting any code that referenced nonexistent Log4j methods/classes.

However, I underestimated the Genius of the Minecraft Forge dev team.

See, 1.16.4 isn't officially supported by Forge anymore. I knew that going in, but I didn't want to update to 1.16.5, because that would require getting every player to update their version of Forge as well (and potentially also their mods if some broke in the transition). However, L*x M*nos and his team, in their Infinite Wisdom, decided to break the build scripts for all versions they no longer supported, and change the Maven repository URL listed in the build script to throw me off the scent. "No worries," I thought, "surely I can just change files.minecraftforge.net/maven to maven.minecraftforge.net in the build script and everything will work, right?" Nope - Gradle adamantly refused to look for dependencies at the new URL (which, it turns out, wasn't actually the cause of the problem, but I believed it was at this point). The hyper-intelligent superior life forms over at Forge, whose ways a lowly Earth being like me simply cannot comprehend, had hard-coded the URL in somewhere. Either that or Gradle was being a bitch. Probably both.

So, being the primitive, foolish Homo sapiens that I am, I made the mistake of asking for help in the Forge Discord. Kindly, of course, I mentioned that I was trying to build this specific version of Forge from source, and asked for assistance in fixing the build script errors. When asked why I was trying to do such a thing with an unsupported version of Forge, I mentioned that I was trying to build from source in order to update the Log4j version (since simply forcing the compiled server JAR to load 2.17.1 would crash with an exception). Second mistake. The moment I mention Log4j, it's no longer about my actual question, and instead about how I should just download 1.16.5, which still uses a version of Log4j that Apache's website advises against using - because who would want to solve a problem themselves when they can simply update their software to a version which still doesn't solve that problem? Why use your brain? Get rid of it and just download the latest version of what L*x M*nos, Holy King Of Gods, Sacred Be His Name wants you to think!!!1

Anyways, what's really funny about this whole exchange is when I cited Apache's official Web site for Log4j, which states that versions below 2.17.1 should be avoided due to security vulnerability CVE-2021-44832 (as well as CVE-2021-45105 and CVE-2021-45046, which were patched before 2.17.1 but after 2.15.0), and got a canned response saying that CVE-2021-44228 was patched in 2.15.0, and was then told to "stop arguing with the people who actually write the software I use" - which was said immediately after Gex Manuals attempted to convince me that the official Log4j website was wrong. Silly me, I forgot that the Forge developers are more highly evolved than I am, and have ascended to inhabit an alternative reality where the numbers 44228 and 44832 are equal, and denial of service vulnerabilities like CVE-2021-45105 don't exist!

I ended up putting this project on hold, since I had other, better things to do. But after picking it back up today, I realized two things. First, the files.minecraftforge.net/maven-to-maven.minecraftforge.net change was a complete red herring and not the actual source of the compilation problems - the Forge team had deleted the dependencies required by 1.16.4 from their Maven repository. (Not sure why. Disk space constraints, maybe?) And second, the missing dependencies were available at libraries.minecraft.net.

Patching other versions

I may attempt to patch other versions of Forge later. If you want to try and do it yourself, here's how you need to modify build.gradle:

  1. Search for log4j in the file, and replace the version number for both log4j-api and log4j-core with 2.17.1
  2. In the buildscript { repositories {} } block at the top of the file, add a line below the existing maven {} block which reads:
maven { url = 'https://libraries.minecraft.net/' }
  1. Copy both of those lines into the repositories {} block in project(':clean') and project(':forge').

To build Forge and the installer, it should be:

./gradlew forge:release
./gradlew forge:installerJar

The output will be in ./projects/forge/build/libs/.