Patching log4j version to v2.15.0 #888
Conversation
|
Hi, can we merge this soon to patch the CVE? Also would it be better to bump to 2.17+ instead? CC: @jekh |
| @@ -68,7 +68,7 @@ | |||
|
|
|||
| <maven-jar-plugin.version>3.0.2</maven-jar-plugin.version> | |||
|
|
|||
| <log4j.version>2.9.0</log4j.version> | |||
| <log4j.version>2.15.0</log4j.version> | |||
There was a problem hiding this comment.
As @vidhem suggests; can we bump up to version 2.17.0 for the reason described:
The Log4j team has been made aware of a security vulnerability, CVE-2021-45105, that has been addressed in Log4j 2.17.0 for Java 8 and up.
I tested your patch locally @YLcoding with both versions 2.15.0 and 2.17.0 with both versions, all unit tests pass except for: net.lightbody.bmp.proxy.BindAddressTest.testClientBindAddressCannotConnect
java.lang.AssertionError: Expected exception: org.apache.http.conn.HttpHostConnectException
Evaluating localHostAddr = InetAddress.getLocalHost() does allow the HTTP client to connect to the proxy and I do not observe the expected UnknownHostException.
|
where can I find the jar files for 2.17 release ? |
No description provided.