remkop commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993409892
> > > @remkop Hi! Thanks for your work and the community correspondence. > > > Do you have any plans to backport the correspondence to this vulnerability to older versions of the 2.x? > > > > > > I would also appreciate if security fixes could be back ported to 2.12.x as this is the last version that supports Java 7. We're still supporting Java 7 in the Elastic APM Java agent so we can't upgrade to 2.15.0, which requires Java 8. We fixed the vulnerability by excluding `JndiLookup` but this still causes vulnerability scanners to emit warnings which creates a lot of friction (see [elastic/apm-agent-java#2332](https://github.com/elastic/apm-agent-java/pull/2332)). > > Is back porting security fixes to the 2.12.x branch something you would consider? Is it something we could help you with? > > Hi, we provide a patch-version based on 2.12.1(supportd Java7) that we hope it will be helpful to you. Release: https://github.com/quericy/logging-log4j2/releases/tag/2.12.1.sec1 . The pull request: #627 @quericy Thank you for your kind offer! The Log4j Team is actually working on a 2.12.2 release targeting Java 7 at this moment, to be released soon. We will check your PR to see if we missed anything. Many thanks! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
