[jira] [Commented] (JCLOUDS-1589) Upgrade to Log4j 2.15.0
[ https://issues.apache.org/jira/browse/JCLOUDS-1589?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17460790#comment-17460790 ] ASF subversion and git services commented on JCLOUDS-1589: -- Commit dbd8eb1dabc2c0f0349388fdffcca6cb8819f07c in jclouds's branch refs/heads/master from Andrew Gaul [ https://gitbox.apache.org/repos/asf?p=jclouds.git;h=dbd8eb1 ] JCLOUDS-1589: Upgrade to log4j 2.16.0 This addresses a critical CVE: https://logging.apache.org/log4j/2.x/security.html > Upgrade to Log4j 2.15.0 > --- > > Key: JCLOUDS-1589 > URL: https://issues.apache.org/jira/browse/JCLOUDS-1589 > Project: jclouds > Issue Type: Improvement > Components: jclouds-drivers >Affects Versions: 2.4.0 >Reporter: Andrew Gaul >Priority: Major > Labels: log4j > Time Spent: 20m > Remaining Estimate: 0h > > 2.15.0 fixes a critical CVE: > [https://logging.apache.org/log4j/2.x/security.html] -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (JCLOUDS-1589) Upgrade to Log4j 2.15.0
[ https://issues.apache.org/jira/browse/JCLOUDS-1589?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17458828#comment-17458828 ] Andrew Gaul commented on JCLOUDS-1589: -- But jclouds-log4j currently depends on log4j 1.2.17 which suffers from a _different_ CVE: [https://www.cvedetails.com/cve/CVE-2019-17571/] I'm not too familiar with this driver and my first thought is to remove it as unmaintained since upgrading requires source code changes. But some tests rely on log4j e.g., atmos, b2, s3, so we need to migrate those first. > Upgrade to Log4j 2.15.0 > --- > > Key: JCLOUDS-1589 > URL: https://issues.apache.org/jira/browse/JCLOUDS-1589 > Project: jclouds > Issue Type: Improvement > Components: jclouds-drivers >Affects Versions: 2.4.0 >Reporter: Andrew Gaul >Priority: Major > > 2.15.0 fixes a critical CVE: > > https://logging.apache.org/log4j/2.x/security.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (JCLOUDS-1589) Upgrade to Log4j 2.15.0
[ https://issues.apache.org/jira/browse/JCLOUDS-1589?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17457769#comment-17457769 ] Andrew Gaul commented on JCLOUDS-1589: -- Fortunately (?!) our log4j version is so old (1.2.17) that it does not include this functionality and thus the security hole. Some tests use log4j but this is mostly a jclouds-log4j driver issue. > Upgrade to Log4j 2.15.0 > --- > > Key: JCLOUDS-1589 > URL: https://issues.apache.org/jira/browse/JCLOUDS-1589 > Project: jclouds > Issue Type: Improvement > Components: jclouds-drivers >Affects Versions: 2.4.0 >Reporter: Andrew Gaul >Priority: Major > > 2.15.0 fixes a critical CVE: > > https://logging.apache.org/log4j/2.x/security.html -- This message was sent by Atlassian Jira (v8.20.1#820001)