s/dependent/vulnerable/
On Thu, Jan 13, 2022 at 10:34 AM larry mccay <lmc...@apache.org> wrote: > We are not vulnerable to those issues as they are in log4j-core and we > don't use that in the 1.x line. > Why would we need to upgrade libs that are not dependent? > > On Thu, Jan 13, 2022 at 6:47 AM Sandeep Moré <moresand...@gmail.com> > wrote: > >> Awesome! that sounds great Sandor, thanks! >> >> On Thu, Jan 13, 2022 at 5:46 AM Sandor Molnar >> <smol...@cloudera.com.invalid> wrote: >> >>> Hi folks, >>> >>> with our recent v1.6.1 release (an announcement is about to be sent out) >>> we >>> are on 2.16.0 to mitigate the infamous CVE-2021-44228 >>> <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> security >>> vulnerability. >>> However, there were subsequent security issues found and those >>> problems were addressed in later versions. For more information please >>> read >>> Log4J's security vulnerability page: >>> https://logging.apache.org/log4j/2.x/security.html >>> >>> I'm proposing to kick off a new 1.6.2 release that includes the fix for >>> https://issues.apache.org/jira/browse/KNOX-2702. >>> >>> Any objection? >>> >>> Cheers, >>> Sandor >>> >>
