[jira] [Commented] (DOXIA-610) Update doxia-module-fo to use latest log4j

Sylwester Lachiewicz (Jira) Wed, 19 Aug 2020 13:40:11 -0700


    [ 
https://issues.apache.org/jira/browse/DOXIA-610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17180810#comment-17180810
 ]


Sylwester Lachiewicz commented on DOXIA-610:
--------------------------------------------

Looks like 1.2 is not affected by this bug and to upgrade to newer version 
someone must upgrade FOP to use Log4j2. 

> Update doxia-module-fo to use latest log4j
> ------------------------------------------
>
>                 Key: DOXIA-610
>                 URL: https://issues.apache.org/jira/browse/DOXIA-610
>             Project: Maven Doxia
>          Issue Type: Dependency upgrade
>          Components: Module - FO
>    Affects Versions: 1.9.1
>            Reporter: John Burnham
>            Priority: Critical
>
> This is critical for a release.  The version of log4j is 1.2.17 and contains 
> the following security risk:
> [CVE_2020_9488|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488]
> This should be updated to use org.apache.logging.log4j:log4j-core:2.13.2



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DOXIA-610) Update doxia-module-fo to use latest log4j

Reply via email to