Hi Jacopo, All,
Ready to release 18.12.05?
Also it'd be good to ASAP freeze 22.01. Then I'll adapt BuildBot config and ask Infra to restart the demos. We will need to also trivially update
README.adoc. I'll put that in the freeze part of the release plan page in wiki.
TIA
Happy holidays :)
Jacques
Le 29/12/2021 à 09:05, jler...@apache.org a écrit :
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new a744965 Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
a744965 is described below
commit a7449655678460ecd84ce6c04f7cc90bb55d1ea5
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Dec 29 08:51:55 2021 +0100
Fixed: [SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
See complete explanation at https://issues.apache.org/jira/browse/OFBIZ-12475
---
build.gradle | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/build.gradle b/build.gradle
index 99206c3..0dc7486 100644
--- a/build.gradle
+++ b/build.gradle
@@ -217,8 +217,8 @@ dependencies {
implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
- implementation 'org.apache.logging.log4j:log4j-api:2.17.0' // the API of
log4j 2
- implementation 'org.apache.logging.log4j:log4j-core:2.17.0' // Somehow
needed by Buildbot to compile OFBizDynamicThresholdFilter.java
+ implementation 'org.apache.logging.log4j:log4j-api:2.17.1' // the API of
log4j 2
+ implementation 'org.apache.logging.log4j:log4j-core:2.17.1' // Somehow
needed by Buildbot to compile OFBizDynamicThresholdFilter.java
implementation 'org.apache.poi:poi:4.1.2' //
poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server
implementation 'org.apache.pdfbox:pdfbox:2.0.24'
implementation 'org.apache.shiro:shiro-core:1.8.0'
@@ -256,11 +256,11 @@ dependencies {
runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9' // Above:
SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does
not exist
runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did not
update from 10.14.2.0 because of a compile issue. You may try w/ a newer
version than 10.15.1.3
runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
- runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for
external jars using the old log4j1.2: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.0' // for external
jars using the java.util.logging: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' // for
external jars using slf4j: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.0' //???
- runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to
constrain to version to avoid classpath conflict (ReflectionUtil)
+ runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.1' // for
external jars using the old log4j1.2: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.1' // for external
jars using the java.util.logging: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1' // for
external jars using slf4j: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-web:2.17.1' //???
+ runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.17.1' // need to
constrain to version to avoid classpath conflict (ReflectionUtil)
runtimeOnly
'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
// Dependencies defined by the plugins
