This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/sling-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new a2a0efa Automatic website deployment from
https://ci-builds.apache.org/job/Sling/job/modules/job/sling-site/job/master/358/
a2a0efa is described below
commit a2a0efa6857c08ef3840204e405c42824a1ab686
Author: jenkins <[email protected]>
AuthorDate: Fri Dec 17 10:28:06 2021 +0000
Automatic website deployment from
https://ci-builds.apache.org/job/Sling/job/modules/job/sling-site/job/master/358/
---
security/log4shell.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/log4shell.html b/security/log4shell.html
index 4b823a8..932fcf0 100644
--- a/security/log4shell.html
+++ b/security/log4shell.html
@@ -97,7 +97,7 @@
Apache Sling advisory regarding CVE-2021-44228 and
LOGBACK-1591
</h1><div class="content is-marginless">
<div class="row"><div><section><p>On 9th December 2021, a new zero-day
vulnerability for <a
href="https://logging.apache.org/log4j/2.x/index.html";>Apache Log4j 2</a> was
reported. It is tracked under <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228";>CVE-2021-44228</a>
and affects Log4j versions from 2.0.1 (inclusive) to 2.15.0 (exclusive). It is
also known under the <em>Log4Shell</em> name.</p>
-<p>Apache Sling modules use the <a href="http://www.slf4j.org";>Simple Logging
Facade for Java</a> (slf4j) for logging, backed by the <a
href="https://github.dev/apache/sling-org-apache-sling-commons-log/";>Sling
Commons Log bundle</a>. There are no Sling modules using versions of Log4j
affected by <em>Log4Shell</em>. The Sling Starter and Sling CMS applications do
not include any vulnerable version of the Log4j library.</p>
+<p>Apache Sling modules use the <a href="http://www.slf4j.org";>Simple Logging
Facade for Java</a> (slf4j) for logging, backed by the <a
href="https://github.com/apache/sling-org-apache-sling-commons-log/";>Sling
Commons Log bundle</a>. There are no Sling modules using versions of Log4j
affected by <em>Log4Shell</em>. The Sling Starter and Sling CMS applications do
not include any vulnerable version of the Log4j library.</p>
<p>Applications built on top of Apache Sling are not impacted by
CVE-2021-44228, provided they do not deploy a vulnerable version of Log4j
themselves.</p>
<p>The Sling Commons Log bundle wraps <code>logback-core</code> and
<code>logback-classic</code>, but does not allow arbitrary modifications to the
<code>logback.xml</code> file and is therefore not vulnerable to the attack
described in <a
href="https://jira.qos.ch/browse/LOGBACK-1591";>LOGBACK-1591</a>.</p>
<p>The Apache Sling PMC recommends that developers and operators of
applications built on top of Apache Sling review the libraries they deploy to
ensure that they do not include vulnerable versions of Log4j.</p>
@@ -112,7 +112,7 @@
content/security/log4shell.md
</a>
</div> <div class="revisionInfo">
- Last modified by <span class="author">Oliver
Lietz</span> on <span class="comment">2021-12-17</span>
+ Last modified by <span class="author">Robert
Munteanu</span> on <span class="comment">2021-12-17</span>
</div><p>
Apache Sling, Sling, Apache, the Apache feather logo,
and the Apache Sling project logo are trademarks of The Apache Software
Foundation. All other marks mentioned may be trademarks or registered
trademarks of their respective owners.
</p><p>
