[
https://issues.apache.org/jira/browse/LOG4J2-3201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458921#comment-17458921
]
Lloyd Fernandes commented on LOG4J2-3201:
-----------------------------------------
I agree it would look weird. I could see eclipse resolve the dependency
hierarchy where another jar dependency was resolving the log-4j.api to 2.13.*
while i had already changed the log4j-core to 2.15.0. Ideally i believe that
there shouldn't have been any version mismatch issues between 2.13 and 2.15,
but we decided to bump the log4j-api explicitly to 2.15.0 to be on a safer side.
> Limit the protocols jNDI can use and restrict LDAP.
> ---------------------------------------------------
>
> Key: LOG4J2-3201
> URL: https://issues.apache.org/jira/browse/LOG4J2-3201
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Reporter: Ralph Goers
> Priority: Major
> Fix For: 2.15.0
>
>
> LDAP needs to be limited in the servers and classes it can access. JNDI
> should only support the java, ldap, and ldaps protocols by default.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
