Hi Tilmann, I checked in the log4j change in branch 3.2.
I do not think that we need to change older versions of JDO (3.1, etc.) . What do the others think? Regards Michael Hi Michael, @Tillman Should I change the Log4j dependency in the main branch or in the branch 3.2? In the 3.2 branch please. Do we also need to prepare a patch for 3.1, e.g. 3.1.1 ? Til On 12/12/2021 20:25, Bouschen, Michael wrote: Hi, I understand we want to fix this in JDO 3.2, so I changed the fix version of in the JIRA JDO-800 to JDO 3.2. @Tillman Should I change the Log4j dependency in the main branch or in the branch 3.2? Regards Michael Hi Craig, I have created a JIRA ticket: https://issues.apache.org/jira/browse/JDO-800 This need to be fixed in the pom.xml of teh tck module. Do we need to changed this for JDO 3.2, then I have to change the fix version to JDO 3.2. Regards Michael I looked at our pom.xml and we are using 2.13.3 so we need to update. There is no risk but it will be good to put out an RC6 once we have JCP approval. Craig Begin forwarded message: From: Gary Gregory <garydgreg...@gmail.com><mailto:garydgreg...@gmail.com><mailto:garydgreg...@gmail.com><mailto:garydgreg...@gmail.com> Subject: Re: If your project is using log4j you need to update now (CVE-2021-44228) Date: December 10, 2021 at 3:04:44 AM PST To: memb...@apache.org<mailto:memb...@apache.org><mailto:memb...@apache.org><mailto:memb...@apache.org> Reply-To: memb...@apache.org<mailto:memb...@apache.org><mailto:memb...@apache.org><mailto:memb...@apache.org> It also help to not use an antique version of Java 8 as Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html <https://www.oracle.com/java/technologies/javase/8u121-relnotes.html><https://www.oracle.com/java/technologies/javase/8u121-relnotes.html><https://www.oracle.com/java/technologies/javase/8u121-relnotes.html><https://www.oracle.com/java/technologies/javase/8u121-relnotes.html>) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". Gary On Fri, Dec 10, 2021, 06:03 Mark J Cox <m...@apache.org<mailto:m...@apache.org><mailto:m...@apache.org><mailto:m...@apache.org> <mailto:m...@apache.org><mailto:m...@apache.org><mailto:m...@apache.org><mailto:m...@apache.org>> wrote: Log4j2 2.15.0 was released today to address CVE-2021-44228 which can lead to remote code execution in various situations. See: https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v <https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v><https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v><https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v><https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v> https://logging.apache.org/log4j/2.x/security.html <https://logging.apache.org/log4j/2.x/security.html><https://logging.apache.org/log4j/2.x/security.html><https://logging.apache.org/log4j/2.x/security.html><https://logging.apache.org/log4j/2.x/security.html> Note: any updates of ASF projects needed to address this should reference CVE-2021-44228 and do not require a project-specific CVE. (Taking the non-usual step of mailing members@ to ensure it gets seen quickly, projects should monitor announce@apache for dependency CVE updates) Regards, Mark J Cox ASF Security Craig L Russell c...@apache.org<mailto:c...@apache.org><mailto:c...@apache.org><mailto:c...@apache.org> -- Michael Bouschen akquinet tech@spree GmbH Bülowstraße 66 • D-10783 Berlin Tel: +49 30 235520-33 Fax: +49 30 217520-12 E-Mail: michael.bousc...@akquinet.de<mailto:michael.bousc...@akquinet.de><mailto:michael.bousc...@akquinet.de><mailto:michael.bousc...@akquinet.de> Web: www.akquinet.de<http://www.akquinet.de><http://www.akquinet.de/><http://www.akquinet.de/> Geschäftsführung: Martin Weber, Dr. Torsten Fink, Heinz Wilming Amtsgericht Berlin HRB 86780 • USt.-Id. Nr.: DE 225 964 680 [Facebook]<http://www.facebook.com/akquinet><http://www.facebook.com/akquinet> [XING]<https://www.xing.com/companies/akquinetag><https://www.xing.com/companies/akquinetag> [LinkedIn]<https://www.linkedin.com/company/akquinet-ag><https://www.linkedin.com/company/akquinet-ag> [Twitter]<https://twitter.com/akquinet><https://twitter.com/akquinet> -- Michael Bouschen akquinet tech@spree GmbH Bülowstraße 66 • D-10783 Berlin Tel: +49 30 235520-33 Fax: +49 30 217520-12 E-Mail: michael.bousc...@akquinet.de<mailto:michael.bousc...@akquinet.de> Web: www.akquinet.de<http://www.akquinet.de/> Geschäftsführung: Martin Weber, Dr. Torsten Fink, Heinz Wilming Amtsgericht Berlin HRB 86780 • USt.-Id. Nr.: DE 225 964 680 [Facebook]<http://www.facebook.com/akquinet> [XING]<https://www.xing.com/companies/akquinetag> [LinkedIn]<https://www.linkedin.com/company/akquinet-ag> [Twitter]<https://twitter.com/akquinet>
