[oozie] branch master updated: OOZIE-3649 Upgrade transitive log4j2 version to 2.17.1 (dionusos via asalamon74)

Thu, 13 Jan 2022 00:12:34 -0800 

This is an automated email from the ASF dual-hosted git repository.

asalamon74 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/oozie.git


The following commit(s) were added to refs/heads/master by this push:
     new b3943fc  OOZIE-3649 Upgrade transitive log4j2 version to 2.17.1 
(dionusos via asalamon74)
b3943fc is described below

commit b3943fcff32f90e6a72f83871e3bbcb3361f3326
Author: Andras Salamon <[email protected]>
AuthorDate: Thu Jan 13 09:07:12 2022 +0100

    OOZIE-3649 Upgrade transitive log4j2 version to 2.17.1 (dionusos via 
asalamon74)
    
    Oozie currently does not use log4j2 directly but in case of a future use 
this commit ensures that no vulnerable log4j2 dependency comes in.
---
 pom.xml         | 32 ++++++++++++++++++++++++++++++++
 release-log.txt |  1 +
 2 files changed, 33 insertions(+)

diff --git a/pom.xml b/pom.xml
index 5796322..a5a9d3c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -118,6 +118,7 @@
          <curator.version>2.5.0</curator.version>
          <jackson.version>2.6.5</jackson.version>
          <log4j.version>1.2.17</log4j.version>
+         <log4j2.version>2.17.1</log4j2.version>
          <activemq.version>5.15.9</activemq.version>
          <commons.lang3.version>3.3.2</commons.lang3.version>
          <httpcore.version>4.3.3</httpcore.version>
@@ -2587,6 +2588,37 @@
                             </exclusion>
                         </exclusions>
                     </dependency>
+                    <!-- Lock log4j2 artifact version -->
+                    <dependency>
+                        <groupId>org.apache.logging.log4j</groupId>
+                        <artifactId>log4j-api</artifactId>
+                        <version>${log4j2.version}</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.apache.logging.log4j</groupId>
+                        <artifactId>log4j-1.2-api</artifactId>
+                        <version>${log4j2.version}</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.apache.logging.log4j</groupId>
+                        <artifactId>log4j-core</artifactId>
+                        <version>${log4j2.version}</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.apache.logging.log4j</groupId>
+                        <artifactId>log4j-web</artifactId>
+                        <version>${log4j2.version}</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.apache.logging.log4j</groupId>
+                        <artifactId>log4j-slf4j-impl</artifactId>
+                        <version>${log4j2.version}</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.apache.logging.log4j</groupId>
+                        <artifactId>log4j-jcl</artifactId>
+                        <version>${log4j2.version}</version>
+                    </dependency>
                 </dependencies>
             </dependencyManagement>
         </profile>
diff --git a/release-log.txt b/release-log.txt
index d61ce6a..89de3ec 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
 -- Oozie 5.3.0 release (trunk - unreleased)
 
+OOZIE-3649 Upgrade transitive log4j2 version to 2.17.1 (dionusos via 
asalamon74)
 OOZIE-3645 Oozie documentation on Purge REST API should be fixed (mgrigorov 
via dionusos)
 OOZIE-3639 Build failure on Linux ARM64 (mgrigorov via dionusos)
 OOZIE-3599 Upgrade Jetty to 9.4.43.v20210629 (medb via dionusos)

Reply via email to