You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@kafka.apache.org by bb...@apache.org on 2020/10/08 19:15:43 UTC

[kafka] 05/31: MINOR: log4j migration to confluent repackaged version (#362)

This is an automated email from the ASF dual-hosted git repository.

bbejeck pushed a commit to branch Merge_AK_to_CCS_10_08_2020
in repository https://gitbox.apache.org/repos/asf/kafka.git

commit e5d9b9251007a91a9458edd880bce0004035cfc7
Author: Nitesh Mor <ni...@users.noreply.github.com>
AuthorDate: Fri Jul 17 16:38:27 2020 -0700

    MINOR: log4j migration to confluent repackaged version (#362)
    
    Context: log4j v1 has reached end of life many years ago, and is affected by CVE-2019-17571
    Confluent repackaged version of log4j fixes the security vulnerabilities.
    
    Reviewers: Ismael Juma <is...@juma.me.uk>, Jeff Kim <je...@confluent.io>
---
 build.gradle               | 7 +++++++
 gradle/dependencies.gradle | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index e7ee90c..9cc71f4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -95,6 +95,13 @@ allprojects {
       }
     }
     configurations {
+      all {
+        resolutionStrategy {
+          dependencySubstitution {
+            substitute module("log4j:log4j:1.2.17") because "we use a custom version with security patches" with module("io.confluent:confluent-log4j:1.2.17-cp1")
+          }
+        }
+      }
       runtime {
         resolutionStrategy {
           force(
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 00ef720..5ce1b2a 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -72,7 +72,7 @@ versions += [
   jersey: "2.31",
   jmh: "1.23",
   hamcrest: "2.2",
-  log4j: "1.2.17",
+  log4j: "1.2.17-cp1",
   scalaLogging: "3.9.2",
   jaxb: "2.3.0",
   jaxrs: "2.1.1",
@@ -164,7 +164,7 @@ libs += [
   kafkaStreams_23: "org.apache.kafka:kafka-streams:$versions.kafka_23",
   kafkaStreams_24: "org.apache.kafka:kafka-streams:$versions.kafka_24",
   kafkaStreams_25: "org.apache.kafka:kafka-streams:$versions.kafka_25",
-  log4j: "log4j:log4j:$versions.log4j",
+  log4j: "io.confluent:confluent-log4j:$versions.log4j",
   lz4: "org.lz4:lz4-java:$versions.lz4",
   metrics: "com.yammer.metrics:metrics-core:$versions.metrics",
   mockitoCore: "org.mockito:mockito-core:$versions.mockito",