[
https://issues.apache.org/jira/browse/GROOVY-12007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul King updated GROOVY-12007:
-------------------------------
Description: (was: Groovy doesn't bundle a version of Log4j in its
distribution nor list it as a dependency in its pom (or bom), so isn't directly
affected by CVE-2021-44832 (see
https://logging.apache.org/log4j/2.x/security.html).
However Groovy users using the Log4j2 AST transform (or using Log4j2 directly)
may wish to update there version of Log4j or note the security workarounds
mentioned in the above security vulnerability link.
See also:
* LOG4J2-3293: JDBC Appender should use JNDI Manager and JNDI access should be
limited
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832)
> Bump log4j2 version to 2.26.0 (test dependency)
> -----------------------------------------------
>
> Key: GROOVY-12007
> URL: https://issues.apache.org/jira/browse/GROOVY-12007
> Project: Groovy
> Issue Type: Dependency upgrade
> Reporter: Paul King
> Assignee: Paul King
> Priority: Minor
> Fix For: 6.0.0-alpha-2
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
