[
https://issues.apache.org/jira/browse/SSHD-1248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17498746#comment-17498746
]
Thomas Wolf commented on SSHD-1248:
-----------------------------------
[~pnugraha], somehow your comment about that effective-pom.xml is not visible
as a comment; it's shown only if "All" is selected in Jira.
However, look at that effective POM:
{code:xml}
<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
https://maven.apache.org/xsd/maven-4.0.0.xsd";>
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.5</version>
<relativePath />
</parent>
<groupId>com.example</groupId>
<artifactId>ssh-server</artifactId>
<version>0.0.1</version>
<name>ssh-server</name>
<description>Sample Spring for Custom POD</description>
<url>https://spring.io/projects/spring-boot/ssh-server</url>
<licenses>
<license>
<name>Apache License, Version 2.0</name>
<url>https://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
<developers>
<developer>
<name>Pivotal</name>
<email>[email protected]</email>
<organization>Pivotal Software, Inc.</organization>
<organizationUrl>https://www.spring.io</organizationUrl>
</developer>
</developers>
<scm>
<url>https://github.com/spring-projects/spring-boot/ssh-server</url>
</scm>
...
{code}
This is *not* the POM of Apache MINA sshd. This is something else that uses
Apache MINA sshd. It also is apparently an example only. The SCM URL given
doesn't work.
> Log4J2 Security Vulneralibility ( CVE-2021-44832 )
> --------------------------------------------------
>
> Key: SSHD-1248
> URL: https://issues.apache.org/jira/browse/SSHD-1248
> Project: MINA SSHD
> Issue Type: Question
> Affects Versions: 2.8.0
> Reporter: Putra Nugraha
> Priority: Major
> Attachments: effective-pom.xml, image-2022-02-28-15-06-13-418.png
>
>
> Upon checking a possible security vulnerabilities, I noticed MINA SSHD is
> using Log4J2 version 2.14.1 and Log4J2 made some fixes in the later version (
> 2.17.1 for Java 8 ) which one if it is related to security vulnerabilities to
> RCE.
>
> May I know if there is any plan on MINA SSHD to adapt the above fix? Or can
> we please have this fixed if not planned?
>
> Further details on the above Log4J security vulnerabilities can be found here
> https://logging.apache.org/log4j/2.x/security.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
