[ 
https://issues.apache.org/jira/browse/OMID-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17955570#comment-17955570
 ] 

Istvan Toth commented on OMID-313:
----------------------------------

It's a bit late, but the ticket description is not correct.

None of the listed CVEs are related to commons-logging.

Replacing commons-logging with org.slf4j:jcl-over-slf4j is good, as it will 
result in the logs getting correctly processed by the selected logging backed, 
but this is not a security issue.

> Remove commons-logging due to multiple affecting CVEs
> -----------------------------------------------------
>
>                 Key: OMID-313
>                 URL: https://issues.apache.org/jira/browse/OMID-313
>             Project: Phoenix Omid
>          Issue Type: Improvement
>            Reporter: Norbert Mészáros
>            Assignee: Norbert Mészáros
>            Priority: Major
>             Fix For: 1.1.4
>
>
> Remove commons-logging due to multiple affecting CVEs
> (CVE-2021-37533 CVE-2019-17571 CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 
> CVE-2022-23307)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to