[
https://issues.apache.org/jira/browse/LOG4J2-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17184657#comment-17184657
]
Krishan Mistry commented on LOG4J2-2329:
----------------------------------------
Also reported by [Synk|https://snyk.io/vuln/SNYK-JAVA-ORGSLF4J-32138] with the
same CVE
Lets upgrade to the latest minor version v1.7.30 (at the time of writing). This
is will likely have prevent less breaking changes to log4j2 builds.
SLF4J 1.8 is still slowly being developed, and we should push forward with
upgrading to v1.7.30
> Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088
> ----------------------------------------------------------------
>
> Key: LOG4J2-2329
> URL: https://issues.apache.org/jira/browse/LOG4J2-2329
> Project: Log4j 2
> Issue Type: Bug
> Components: SLF4J Bridge
> Affects Versions: 2.11.0
> Reporter: Sven Kubiak
> Priority: Major
>
> Latest version of log4j-slf4j-impl has a dependency to slf4j-api version
> 1.8.0-Alpha2. All version before 1.8.0-Beta2 have vulnerable due to
> CVE-2018-8088.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-8088]
> Can we update to at least 1.8.0-Beta2?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)