ChrisSamo632 commented on a change in pull request #5616:
URL: https://github.com/apache/nifi/pull/5616#discussion_r771975014
##########
File path: pom.xml
##########
@@ -795,8 +795,8 @@
<exclude>com.google.code.findbugs:jsr305:*:*:compile</exclude>
<!-- Log4J excluded in favor of
log4j-over-slf4j and logback -->
<exclude>log4j:log4j:*</exclude>
- <!-- Ban log4j-core less than 2.15.0
due to Log4Shell vulnerability -->
-
<exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
+ <!-- Log4j 2 log4j-core excluded in
favor of log4j-to-slf4j routing to logback -->
Review comment:
While it wasn't directly past of the jira, it's it worth updating log4j
to 2.17.0 to address CVE-2021-45105 (a DoS vulnerability found after the
release of 2.16.0)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
