[
https://issues.apache.org/jira/browse/OOZIE-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17475167#comment-17475167
]
Andras Salamon commented on OOZIE-3649:
---------------------------------------
Thanks for the patch [~dionusos].
Oozie does not use log4j2 directly ( see OOZIE-3136 ) and it seems to me that
it's not even a transitive dependency if we compile it with default settings.
But of course one can specify 3rd party versions in a way that a wrong version
is pulled in, so this fix is still very useful.
Committed to master.
> Upgrade log4j2 versions to 2.17.1
> ---------------------------------
>
> Key: OOZIE-3649
> URL: https://issues.apache.org/jira/browse/OOZIE-3649
> Project: Oozie
> Issue Type: Bug
> Affects Versions: 5.2.1
> Reporter: Dénes Bodó
> Assignee: Dénes Bodó
> Priority: Blocker
> Labels: security
> Attachments: OOZIE-3649-001.patch
>
>
> Due to several security improvements recently made in log4j2 we should
> upgrade its version to the latest 2.17.1.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
