Hi Andy, > On Dec 19, 2021, at 6:01 AM, Andy Jefferson <a...@datanucleus.org> wrote: > >> 1. Log4j issue CVE-2021-44228 JDO-800 "Update Log4j Version" >> https://issues.apache.org/jira/browse/JDO-800 >> TCK pom has been updated to log4j 2.16.0. >> What are the DataNucleus versions that we should use that have been or will >> be updated with the latest log4j releases? > > The exact same ones as you are using.
Great, glad to get confirmation that nothing is needed for the JDO dependency. Warm regards, Craig > DN does not make direct use of any Log4j internal API etc, just gets a > LogManager and a Logger from that. The API for those calls is unchanged by > this "issue". Consequently it is only at RUNTIME that such an issue could be > exploited, and the user (of DN) chooses what version of Log4j to make use of > at runtime. No plans to update our pom (for v5.x) for an optional dependency. > > > > Regards > -- > Andy > DataNucleus (Web: http://www.datanucleus.org Twitter: @datanucleus) > > Craig L Russell c...@apache.org
