You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/12/11 16:41:21 UTC
[ofbiz-framework] branch trunk updated: Fixed: [SECURITY] CVE-2021-44228: Apache Log4j2 (OFBIZ-12449)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 64a0b6e Fixed: [SECURITY] CVE-2021-44228: Apache Log4j2 (OFBIZ-12449)
64a0b6e is described below
commit 64a0b6e8d04b936f472b418cc8847c03b462d3a0
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Dec 11 17:31:41 2021 +0100
Fixed: [SECURITY] CVE-2021-44228: Apache Log4j2 (OFBIZ-12449)
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker
controlled LDAP and other JNDI related endpoints:
https://logging.apache.org/log4j/2.x/security.html
I'm not sure we are concerned, have no time to check, better safe than sorry...
I'll restart the demos...
---
build.gradle | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/build.gradle b/build.gradle
index 58e0566..8b16834 100644
--- a/build.gradle
+++ b/build.gradle
@@ -217,8 +217,8 @@ dependencies {
implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
- implementation 'org.apache.logging.log4j:log4j-api:2.14.1' // the API of log4j 2
- implementation 'org.apache.logging.log4j:log4j-core:2.14.1' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
+ implementation 'org.apache.logging.log4j:log4j-api:2.15.0' // the API of log4j 2
+ implementation 'org.apache.logging.log4j:log4j-core:2.15.0' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
implementation 'org.apache.poi:poi:4.1.2' // poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server
implementation 'org.apache.pdfbox:pdfbox:2.0.24'
implementation 'org.apache.shiro:shiro-core:1.8.0'
@@ -256,10 +256,10 @@ dependencies {
runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9' // Above: SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does not exist
runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did not update from 10.14.2.0 because of a compile issue. You may try w/ a newer version than 10.15.1.3
runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
- runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.14.1' // for external jars using the old log4j1.2: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.14.1' // for external jars using the java.util.logging: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.14.1' // for external jars using slf4j: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.14.1' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
+ runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.15.0' // for external jars using the old log4j1.2: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.15.0' // for external jars using the java.util.logging: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.15.0' // for external jars using slf4j: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-jcl:2.15.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
runtimeOnly 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
// Dependencies defined by the plugins