You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/13 17:04:29 UTC

[GitHub] [logging-log4j2] felixbarny commented on pull request #608: Restrict LDAP access via JNDI

felixbarny commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992683138


   > @remkop Hi! Thanks for your work and the community correspondence.
   > Do you have any plans to backport the correspondence to this vulnerability to older versions of the 2.x?
   
   I would also appreciate if security fixes could be back ported to 2.12.x as this is the last version that supports Java 7.
   We're still supporting Java 7 in the Elastic APM Java agent so we can't upgrade to 2.15.0, which requires Java 8. We fixed the vulnerability by excluding `JndiLookup` but this still causes vulnerability scanners to emit warnings which creates a lot of friction (see https://github.com/elastic/apm-agent-java/pull/2332).
   
   Is back porting security fixes to the 2.12.x branch something you would consider? Is it something we could help you with?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org