[
https://issues.apache.org/jira/browse/DOXIA-610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17180810#comment-17180810
]
Sylwester Lachiewicz edited comment on DOXIA-610 at 8/19/20, 10:36 PM:
-----------------------------------------------------------------------
Looks like 1.2 is not affected by this bug -and to upgrade to a newer version
someone must upgrade FOP to use Log4j2.-
FOP uses commons-logging API for logs, Log4J is in use as one of the
implementations. We can just drop Log4J so commons-logging will us default JDK
logging. Unfortunately, it will print lots of INFO statements.
Please check [https://github.com/apache/maven-doxia/pull/37]
was (Author: slachiewicz):
Looks like 1.2 is not affected by this bug and to upgrade to newer version
someone must upgrade FOP to use Log4j2.
> Update doxia-module-fo to use latest log4j
> ------------------------------------------
>
> Key: DOXIA-610
> URL: https://issues.apache.org/jira/browse/DOXIA-610
> Project: Maven Doxia
> Issue Type: Dependency upgrade
> Components: Module - FO
> Affects Versions: 1.9.1
> Reporter: John Burnham
> Priority: Critical
>
> This is critical for a release. The version of log4j is 1.2.17 and contains
> the following security risk:
> [CVE_2020_9488|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488]
> This should be updated to use org.apache.logging.log4j:log4j-core:2.13.2
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
