This is an automated email from the ASF dual-hosted git repository. kezhenxu94 pushed a commit to branch log4j2 in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit d2552655b556d50a97eb44cbbe6bf37db163e29e Author: kezhenxu94 <[email protected]> AuthorDate: Sat Dec 18 21:54:31 2021 +0800 Bump up log4j2 to 2.17 --- CHANGES.md | 2 +- dist-material/release-docs/LICENSE | 2 +- oap-server-bom/pom.xml | 2 +- tools/dependencies/known-oap-backend-dependencies.txt | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e4ffa9d..517a571 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -7,7 +7,7 @@ Release Notes. #### Project -* Upgrade log4j2 to 2.16.0 for CVE-2021-44228 and CVE-2021-45046. This CVE only effects on JDK if JDNI is opened in +* Upgrade log4j2 to 2.17.0 for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. This CVE only effects on JDK if JNDI is opened in default. Notice, using JVM option `-Dlog4j2.formatMsgNoLookups=true` or setting the `LOG4J_FORMAT_MSG_NO_LOOKUPS=”true”` environment variable also avoids CVEs. diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE index e228690..c9f241e 100755 --- a/dist-material/release-docs/LICENSE +++ b/dist-material/release-docs/LICENSE @@ -249,7 +249,7 @@ The text of each license is the standard Apache 2.0 license. Apache: commons-lang 3.6: https://github.com/apache/commons-lang, Apache 2.0 Apache: commons-text 1.8: https://github.com/apache/commons-text, Apache 2.0 Apache: commons-beanutils 1.9.4: https://github.com/apache/commons-beanutils, Apache 2.0 - Apache: log4j2 2.15.0: https://github.com/apache/logging-log4j2, Apache 2.0 + Apache: log4j2 2.17.0: https://github.com/apache/logging-log4j2, Apache 2.0 Apache: zookeeper 3.5.7: https://github.com/apache/zookeeper, Apache 2.0 Apache: commons-collections 3.2.2: https://github.com/apache/commons-collections, Apache 2.0 Apache: commons-configuration 1.8: https://github.com/apache/commons-configuration, Apache 2.0 diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml index bff30c8..a906768 100644 --- a/oap-server-bom/pom.xml +++ b/oap-server-bom/pom.xml @@ -29,7 +29,7 @@ <properties> <slf4j.version>1.7.30</slf4j.version> - <log4j.version>2.16.0</log4j.version> + <log4j.version>2.17.0</log4j.version> <graphql-java-tools.version>5.2.3</graphql-java-tools.version> <graphql-java.version>8.0</graphql-java.version> <okhttp.version>3.14.9</okhttp.version> diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt index 8f9f329..e74dbe1 100755 --- a/tools/dependencies/known-oap-backend-dependencies.txt +++ b/tools/dependencies/known-oap-backend-dependencies.txt @@ -93,10 +93,10 @@ kotlin-reflect-1.1.1.jar kotlin-stdlib-1.1.60.jar libthrift-0.14.1.jar listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar -log4j-api-2.16.0.jar -log4j-core-2.16.0.jar +log4j-api-2.17.0.jar +log4j-core-2.17.0.jar log4j-over-slf4j-1.7.30.jar -log4j-slf4j-impl-2.16.0.jar +log4j-slf4j-impl-2.17.0.jar logging-interceptor-3.13.1.jar lz4-java-1.6.0.jar micrometer-core-1.7.6.jar
