Hi Craig,
I have created a JIRA ticket: https://issues.apache.org/jira/browse/JDO-800
This need to be fixed in the pom.xml of teh tck module.
Do we need to changed this for JDO 3.2, then I have to change the fix
version to JDO 3.2.
Regards Michael
I looked at our pom.xml and we are using 2.13.3 so we need to update.
There is no risk but it will be good to put out an RC6 once we have JCP
approval.
Craig
Begin forwarded message:
From: Gary Gregory <garydgreg...@gmail.com>
Subject: Re: If your project is using log4j you need to update now
(CVE-2021-44228)
Date: December 10, 2021 at 3:04:44 AM PST
To: memb...@apache.org
Reply-To: memb...@apache.org
It also help to not use an antique version of Java 8 as Java 8u121 (see
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html
<https://www.oracle.com/java/technologies/javase/8u121-relnotes.html>) protects against remote code execution
by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and
"com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
Gary
On Fri, Dec 10, 2021, 06:03 Mark J Cox <m...@apache.org
<mailto:m...@apache.org>> wrote:
Log4j2 2.15.0 was released today to address CVE-2021-44228 which can lead to
remote code execution in various situations.
See:
https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v
<https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v>
https://logging.apache.org/log4j/2.x/security.html
<https://logging.apache.org/log4j/2.x/security.html>
Note: any updates of ASF projects needed to address this should reference
CVE-2021-44228 and do not require a project-specific CVE.
(Taking the non-usual step of mailing members@ to ensure it gets seen quickly,
projects should monitor announce@apache for dependency CVE updates)
Regards, Mark J Cox
ASF Security
Craig L Russell
c...@apache.org
