On 28.12.21 22:10, les McCool wrote:
Hi Michael,
Thank you for your quick response! I'll try the 6.1.1 version.
BTW: a new CVE was issued for log4j and they are now recommending an
upgrade to v2.17.1 for jdk8 and up.
https://logging.apache.org/log4j/2.x/
thanks, I updated the PR since we had another dependency update pending
anyway
https://github.com/apache/roller/pull/112
but the CVE seems to have very specific conditions "an attacker with
permission to modify the logging configuration file", if the attacker
has access to the configuration its over anyway in most cases.
regards,
michael
