You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by ch...@apache.org on 2021/12/19 18:20:19 UTC

[nifi] branch main updated: NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9

This is an automated email from the ASF dual-hosted git repository.

chriss pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new bda48b3  NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9
bda48b3 is described below

commit bda48b3f87ad11ffcee54cd465ae6384c26fa3f1
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Sat Dec 18 14:30:06 2021 -0600

    NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9
    
    NIFI-9505 Upgraded Log4j 2 from 2.16.0 to 2.17.0
    
    Signed-off-by: Chris Sampson <ch...@gmail.com>
    
    This closes #5615
---
 pom.xml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index 02c94b2..e447221 100644
--- a/pom.xml
+++ b/pom.xml
@@ -111,7 +111,7 @@
         <gcs.version>2.1.5</gcs.version>
         <aspectj.version>1.9.6</aspectj.version>
         <jersey.version>2.33</jersey.version>
-        <logback.version>1.2.8</logback.version>
+        <logback.version>1.2.9</logback.version>
         <mockito.version>3.11.2</mockito.version>
         <netty.3.version>3.10.6.Final</netty.3.version>
         <netty.4.version>4.1.69.Final</netty.4.version>
@@ -485,11 +485,11 @@
                 <artifactId>aspectjweaver</artifactId>
                 <version>${aspectj.version}</version>
             </dependency>
-            <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to address CVE-2021-44228 -->
+            <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to multiple vulnerabilities -->
             <dependency>
                 <groupId>org.apache.logging.log4j</groupId>
                 <artifactId>log4j-bom</artifactId>
-                <version>2.16.0</version>
+                <version>2.17.0</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
@@ -795,8 +795,8 @@
                                         <exclude>com.google.code.findbugs:jsr305:*:*:compile</exclude>
                                         <!-- Log4J excluded in favor of log4j-over-slf4j and logback -->
                                         <exclude>log4j:log4j:*</exclude>
-                                        <!-- Ban log4j-core less than 2.15.0 due to Log4Shell vulnerability -->
-                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
+                                        <!-- Ban log4j-core less than 2.17.0 due to multiple vulnerability -->
+                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude>
                                         <!-- Commons Logging excluded in favor of jcl-over-slf4j -->
                                         <exclude>commons-logging:commons-logging:*</exclude>
                                     </excludes>