Not only thinking about log4j here. I’m pretty sure 7.7.x is vulnerable to several other CVEs over the last 1,5 years too, so we have not followed up with patch releases as some users might expect. I’ll propose an edit to the download page to make it clear that 7.x is NOT a patched LTS release and recommend against its usage.
Jan Høydahl > 25. des. 2021 kl. 17:47 skrev David Smiley <[email protected]>: > > > Users have a valid mitigation that is easy to apply (that sys prop =true), > and they could upgrade Log4j themselves if they are extra paranoid (e.g. corp > mandates, which I am familiar with). So I think no further action by our > project is necessary. > > > (Merry Christmas to you all) > >> On Fri, Dec 24, 2021 at 11:11 AM Shawn Heisey <[email protected]> wrote: >> On 12/24/2021 5:12 AM, Jan Høydahl wrote: >> > Merry Christmas to all fellow committers and the wider community! >> > >> > If there are no plans of (quickly) releasing a 7.7.4 with all known >> > vulnerabilities fixed, I propose we publish a statement that 7.x is >> > officially not supported and urge users to upgrade to 8.11. >> >> I agree. 7.x is in maintenance mode until 9.0 is released, and users >> have a few options for a workaround. If patching and recompiling were >> the only option for users to fix the problem themselves, then I think we >> would need to make a new release. >> >> Thanks, >> Shawn >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > -- > Sent from Gmail Mobile
