vy commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992934542
> I would also appreciate if security fixes could be back ported to 2.12.x as this is the last version that supports Java 7. We're still supporting Java 7 in the Elastic APM Java agent so we can't upgrade to 2.15.0, which requires Java 8. We fixed the vulnerability by excluding `JndiLookup` but this still causes vulnerability scanners to emit warnings which creates a lot of friction (see [elastic/apm-agent-java#2332](https://github.com/elastic/apm-agent-java/pull/2332)). > > Is back porting security fixes to the 2.12.x branch something you would consider? Is it something we could help you with? Hey @felixbarny! I very well see your case. Mind creating a JIRA ticket, please? I suggest carrying out the backport work after the planned 2.16.0 release. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
