You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by ch...@apache.org on 2021/12/19 18:20:19 UTC
[nifi] branch main updated: NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9
This is an automated email from the ASF dual-hosted git repository.
chriss pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new bda48b3 NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9
bda48b3 is described below
commit bda48b3f87ad11ffcee54cd465ae6384c26fa3f1
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Sat Dec 18 14:30:06 2021 -0600
NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9
NIFI-9505 Upgraded Log4j 2 from 2.16.0 to 2.17.0
Signed-off-by: Chris Sampson <ch...@gmail.com>
This closes #5615
---
pom.xml | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/pom.xml b/pom.xml
index 02c94b2..e447221 100644
--- a/pom.xml
+++ b/pom.xml
@@ -111,7 +111,7 @@
<gcs.version>2.1.5</gcs.version>
<aspectj.version>1.9.6</aspectj.version>
<jersey.version>2.33</jersey.version>
- <logback.version>1.2.8</logback.version>
+ <logback.version>1.2.9</logback.version>
<mockito.version>3.11.2</mockito.version>
<netty.3.version>3.10.6.Final</netty.3.version>
<netty.4.version>4.1.69.Final</netty.4.version>
@@ -485,11 +485,11 @@
<artifactId>aspectjweaver</artifactId>
<version>${aspectj.version}</version>
</dependency>
- <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to address CVE-2021-44228 -->
+ <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to multiple vulnerabilities -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
- <version>2.16.0</version>
+ <version>2.17.0</version>
<scope>import</scope>
<type>pom</type>
</dependency>
@@ -795,8 +795,8 @@
<exclude>com.google.code.findbugs:jsr305:*:*:compile</exclude>
<!-- Log4J excluded in favor of log4j-over-slf4j and logback -->
<exclude>log4j:log4j:*</exclude>
- <!-- Ban log4j-core less than 2.15.0 due to Log4Shell vulnerability -->
- <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
+ <!-- Ban log4j-core less than 2.17.0 due to multiple vulnerability -->
+ <exclude>org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude>
<!-- Commons Logging excluded in favor of jcl-over-slf4j -->
<exclude>commons-logging:commons-logging:*</exclude>
</excludes>