You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by bb...@apache.org on 2020/10/08 19:15:43 UTC
[kafka] 05/31: MINOR: log4j migration to confluent repackaged
version (#362)
This is an automated email from the ASF dual-hosted git repository.
bbejeck pushed a commit to branch Merge_AK_to_CCS_10_08_2020
in repository https://gitbox.apache.org/repos/asf/kafka.git
commit e5d9b9251007a91a9458edd880bce0004035cfc7
Author: Nitesh Mor <ni...@users.noreply.github.com>
AuthorDate: Fri Jul 17 16:38:27 2020 -0700
MINOR: log4j migration to confluent repackaged version (#362)
Context: log4j v1 has reached end of life many years ago, and is affected by CVE-2019-17571
Confluent repackaged version of log4j fixes the security vulnerabilities.
Reviewers: Ismael Juma <is...@juma.me.uk>, Jeff Kim <je...@confluent.io>
---
build.gradle | 7 +++++++
gradle/dependencies.gradle | 4 ++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/build.gradle b/build.gradle
index e7ee90c..9cc71f4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -95,6 +95,13 @@ allprojects {
}
}
configurations {
+ all {
+ resolutionStrategy {
+ dependencySubstitution {
+ substitute module("log4j:log4j:1.2.17") because "we use a custom version with security patches" with module("io.confluent:confluent-log4j:1.2.17-cp1")
+ }
+ }
+ }
runtime {
resolutionStrategy {
force(
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 00ef720..5ce1b2a 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -72,7 +72,7 @@ versions += [
jersey: "2.31",
jmh: "1.23",
hamcrest: "2.2",
- log4j: "1.2.17",
+ log4j: "1.2.17-cp1",
scalaLogging: "3.9.2",
jaxb: "2.3.0",
jaxrs: "2.1.1",
@@ -164,7 +164,7 @@ libs += [
kafkaStreams_23: "org.apache.kafka:kafka-streams:$versions.kafka_23",
kafkaStreams_24: "org.apache.kafka:kafka-streams:$versions.kafka_24",
kafkaStreams_25: "org.apache.kafka:kafka-streams:$versions.kafka_25",
- log4j: "log4j:log4j:$versions.log4j",
+ log4j: "io.confluent:confluent-log4j:$versions.log4j",
lz4: "org.lz4:lz4-java:$versions.lz4",
metrics: "com.yammer.metrics:metrics-core:$versions.metrics",
mockitoCore: "org.mockito:mockito-core:$versions.mockito",