Il giorno gio 16 dic 2021 alle ore 19:38 Lukasz Lenart < lukaszlen...@apache.org> ha scritto:
> czw., 16 gru 2021 o 17:29 Antonio Petrelli > <antonio.petre...@gmail.com> napisał(a): > > Is there a reason why it has not been upgraded to 2.16.0? > > As Marc already pointed out, Log4j 2.16.0 requires JDK 8 while Struts > 2.5.x is still using JDK7, besides that Log4j 2.12.2 gives exactly the > same level of security as Log4j 2.16.0, see this > https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046 > > Ok thanks, mistakenly I thought that the 2.12 branch of Log4j was dead. +1 GA non binding from an emeritus. Antonio
