This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push: new 78ce0e3 Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470) 78ce0e3 is described below commit 78ce0e3fc74e0c2b92077111b756550b692d1576 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Sun Dec 19 03:25:11 2021 +0100 Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470) CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue is fixed in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html --- build.gradle | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/build.gradle b/build.gradle index 1b7a2f5..6a07fcc 100644 --- a/build.gradle +++ b/build.gradle @@ -217,8 +217,8 @@ dependencies { implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.4' implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1' implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13' - implementation 'org.apache.logging.log4j:log4j-api:2.16.0' // the API of log4j 2 - implementation 'org.apache.logging.log4j:log4j-core:2.16.0' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java + implementation 'org.apache.logging.log4j:log4j-api:2.17.0' // the API of log4j 2 + implementation 'org.apache.logging.log4j:log4j-core:2.17.0' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java implementation 'org.apache.poi:poi:4.1.2' // poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server implementation 'org.apache.pdfbox:pdfbox:2.0.24' implementation 'org.apache.shiro:shiro-core:1.8.0' @@ -256,10 +256,10 @@ dependencies { runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9' // Above: SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does not exist runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did not update from 10.14.2.0 because of a compile issue. You may try w/ a newer version than 10.15.1.3 runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1' - runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.16.0' // for external jars using the old log4j1.2: routes logging to log4j 2 - runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.16.0' // for external jars using the java.util.logging: routes logging to log4j 2 - runtimeOnly 'org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0' // for external jars using slf4j: routes logging to log4j 2 - runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.16.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil) + runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for external jars using the old log4j1.2: routes logging to log4j 2 + runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.0' // for external jars using the java.util.logging: routes logging to log4j 2 + runtimeOnly 'org.apache.logging.log4j:log4j-slf4j18-impl:2.17.0' // for external jars using slf4j: routes logging to log4j 2 + runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil) runtimeOnly 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380' // Dependencies defined by the plugins