[
https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460150#comment-17460150
]
Tim Allison commented on TIKA-3616:
-----------------------------------
2.15's vulnerability seemed to require extra complexity (non-standard
configuration) and, so far, no fellow devs have asked for a respin. I'm not
against it. The current plan is to have an update in early January with 2.16
(or later by then?).
If this is a complete non-starter and you need 2.16, please let us know and
please help us understand how 2.15 would be problematic.
> Upgrade log4j2
> --------------
>
> Key: TIKA-3616
> URL: https://issues.apache.org/jira/browse/TIKA-3616
> Project: Tika
> Issue Type: Task
> Reporter: Tim Allison
> Priority: Major
> Fix For: 2.1.1
>
>
> RCE...might be difficult to trigger in Tika, but why ask for a PoC...
> This only affects 2.x. We were still using the old log4j in 1.x
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
