[jira] [Created] (GROOVY-11824) Bump log4j2 version to 2.25.3 (test dependency)

Paul King (Jira) Sat, 20 Dec 2025 13:09:13 -0800

Paul King created GROOVY-11824:
----------------------------------

             Summary: Bump log4j2 version to 2.25.3 (test dependency)
                 Key: GROOVY-11824
                 URL: https://issues.apache.org/jira/browse/GROOVY-11824
             Project: Groovy
          Issue Type: Dependency upgrade
            Reporter: Paul King
            Assignee: Paul King
             Fix For: 3.0.10, 4.0.0



Groovy doesn't bundle a version of Log4j in its distribution nor list it as a 
dependency in its pom (or bom), so isn't directly affected by CVE-2021-44832 
(see https://logging.apache.org/log4j/2.x/security.html).

However Groovy users using the Log4j2 AST transform (or using Log4j2 directly) 
may wish to update there version of Log4j or note the security workarounds 
mentioned in the above security vulnerability link.

See also:
* LOG4J2-3293: JDBC Appender should use JNDI Manager and JNDI access should be 
limited
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (GROOVY-11824) Bump log4j2 version to 2.25.3 (test dependency)

Reply via email to