Thanks Jaques, for being on top of this. Met vriendelijke groet, Pierre Smits *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since 2008 (without privileges) Proud contributor to the ASF since 2006
*Apache Directory <https://directory.apache.org>, PMC Member* On Tue, Dec 14, 2021 at 12:23 PM ASF subversion and git services (Jira) < j...@apache.org> wrote: > > [ > https://issues.apache.org/jira/browse/OFBIZ-12449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459094#comment-17459094 > ] > > ASF subversion and git services commented on OFBIZ-12449: > --------------------------------------------------------- > > Commit 479e222bbb7ecb81fdbf123cc6cfcc10f8dbac4a in ofbiz-framework's > branch refs/heads/trunk from Jacques Le Roux > [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=479e222 ] > > Improved: Apache Log4j2 (OFBIZ-12449) > > Updates log4j2 from 2.15.0 to 2.16.0 because of > https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4 > > It's not a security issue, I lazily use OFBIZ-12449 because it can improve > security even if it's not necessary (dixit the announce) > > > > [SECURITY] CVE-2021-44228: Apache Log4j2 > > ---------------------------------------- > > > > Key: OFBIZ-12449 > > URL: https://issues.apache.org/jira/browse/OFBIZ-12449 > > Project: OFBiz > > Issue Type: Sub-task > > Components: ALL COMPONENTS > > Affects Versions: Trunk > > Reporter: Jacques Le Roux > > Assignee: Jacques Le Roux > > Priority: Blocker > > Fix For: 18.12.03 > > > > > > CVE-2021-44228: Apache Log4j2 JNDI features do not protect against > attacker controlled LDAP and other JNDI related endpoints: > > https://logging.apache.org/log4j/2.x/security.html > > I'm not sure we are concerned, have no time to check, better safe than > sorry... > > > > -- > This message was sent by Atlassian Jira > (v8.20.1#820001) >
