Spring is updated too. As an FYI, we now have "dependabot" automatically sending pull requests on deps.
On Fri, Feb 26, 2021 at 5:16 AM robertlazarski <[email protected]> wrote: > This is fixed in the Axis2 git repo as we switched entirely to log4j2. > > On Fri, Feb 26, 2021 at 1:42 AM Andrew Marlow <[email protected]> > wrote: > >> Hello everyone, >> >> I have noticed that axis2 depends on log4j version 1 and spring framework >> 2.5.1. These have significant CVEs. Are there any plans for axis2 to move >> off these vulnerable components please? >> >> log4j-v1 >> Apache Axis2 - Transport - testkit >> Apache Axis2 - tool - WSDL2Code Maven Plugin >> >> spring-core-2.5.1 >> Apache Axis2 - spring >> -- >> Regards, >> >> Andrew Marlow >> http://www.andrewpetermarlow.co.uk >> >>
