[
https://issues.apache.org/jira/browse/NUTCH-2915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458673#comment-17458673
]
ASF GitHub Bot commented on NUTCH-2915:
---------------------------------------
sebastian-nagel commented on pull request #713:
URL: https://github.com/apache/nutch/pull/713#issuecomment-992836324
> +1 shall we push a release?
The released 1.18 still uses log4j 1.x and indexer-elastic ships only with
log4j-api - if I'm not wrong only Nutch master is affected and no released
version. But would be good to have a second look on the issue and also to
prepare for a release in the near future.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@nutch.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Upgrade to log4j 2.15.0
> -----------------------
>
> Key: NUTCH-2915
> URL: https://issues.apache.org/jira/browse/NUTCH-2915
> Project: Nutch
> Issue Type: Bug
> Components: logging
> Affects Versions: 1.19
> Reporter: Sebastian Nagel
> Assignee: Sebastian Nagel
> Priority: Critical
> Fix For: 1.19
>
>
> See [Apache Log4j Security
> Vulnerabilities|https://logging.apache.org/log4j/2.x/security.html].
> Notes:
> - the released 1.18 is not directly affected because it uses log4j 1.x which
> is not affected by CVE-2021-44228. The upgrade from log4j 1.x to 2.14.1 was
> done recently by NUTCH-2885.
> - the plugin indexer-elastic includes a transitive dependency to
> log4j-api-2.11.1 which is not affected - only log4j-core is according to
> [comments by slf4j|http://www.slf4j.org/log4shell.html].
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
