[
https://issues.apache.org/jira/browse/OAK-9642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461462#comment-17461462
]
Julian Reschke commented on OAK-9642:
-------------------------------------
FWIW, a rather mechanical thing to verify all is well is to nuke the folder
hierarchy below repository/org/apache/logging and then ro rebuild Oak.
With OAK-9639 and OAK-9645 I have suppressed two test dependencies, and now,
after a full build (inlc all test), there's still no log4j-core in my local
maven repo.
> Prepare a public statement w.r.t Log4Shell's impact on oak
> ----------------------------------------------------------
>
> Key: OAK-9642
> URL: https://issues.apache.org/jira/browse/OAK-9642
> Project: Jackrabbit Oak
> Issue Type: Task
> Reporter: Nitin Gupta
> Priority: Critical
>
> We need to assess what all oak versions are impacted (if they are, and how)
> by Log4Shell ([https://nvd.nist.gov/vuln/detail/CVE-2021-44228).]
>
> It would be good to put out a public statement on our project page to state
> what all versions are not impacted and any mitigation (if needed) in case of
> versions that are impacted.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
