This is an automated email from the ASF dual-hosted git repository. vy pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
commit 45614b0ad74c926392f72872f4b0682f89fdc2dc Author: Volkan Yazıcı <[email protected]> AuthorDate: Fri Feb 3 14:34:09 2023 +0100 Update security page to reflect that config access won't qualify --- log4j-2.19.0/security.html | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/log4j-2.19.0/security.html b/log4j-2.19.0/security.html index f012f233d..2d7ecdf6b 100644 --- a/log4j-2.19.0/security.html +++ b/log4j-2.19.0/security.html @@ -179,7 +179,9 @@ to mitigate the known vulnerabilities listed here, please Log4j <a href="mail-lists.html">Users mailing list</a>.</p> <p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them -privately to the <a class="externalLink" href="mailto:[email protected]";>Log4j Security Team</a>. Thank you!</p> +privately to <a class="externalLink" href="mailto:[email protected]";>the Log4j Security Team</a>. +Note that reports assuming attacker's access to the Log4j configuration will not qualify as a vulnerability. +Thank you for your understanding and help!</p> <p><a name="CVE-2021-44832"></a><a name="cve-2021-44832"></a></p><section> <h2><a name="Fixed_in_Log4j_2.17.1_.28Java_8.29.2C_2.12.4_.28Java_7.29_and_2.3.2_.28Java_6.29"></a><a name="log4j-2.17.1"></a> Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)</h2> <p><a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832";>CVE-2021-44832</a>:
