You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@drill.apache.org by cg...@apache.org on 2022/01/03 12:58:44 UTC

[drill] branch master updated: DRILL-8071: upgrade log4j to 2.17.1 (#2417)

This is an automated email from the ASF dual-hosted git repository.

cgivre pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill.git


The following commit(s) were added to refs/heads/master by this push:
     new a3cfdac  DRILL-8071: upgrade log4j to 2.17.1 (#2417)
a3cfdac is described below

commit a3cfdacca01a193b5c5b836a0beafa0eb95a1669
Author: PJ Fanning <pj...@users.noreply.github.com>
AuthorDate: Mon Jan 3 13:58:33 2022 +0100

    DRILL-8071: upgrade log4j to 2.17.1 (#2417)
    
    * DRILL-8071: upgrade log4j to 2.17.1
    
    Description
    Drill's format-excel has only gained log4j dependencies recently (and this is not in any Drill release yet).
    
    Log4J have released 2.17.1 with another CVE fix. These CVEs don't affect Drill because it does not yet use log4j-core but for optics, it is better to update all log4j jars.
    
    https://logging.apache.org/log4j/2.x/security.html
    
    Documentation
    No changes
    
    Testing
    Unit tests
    
    * upgrade excel-streaming-reader due to cve in h2
    
    https://www.cvedetails.com/cve/CVE-2021-23463/
---
 contrib/format-excel/pom.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/contrib/format-excel/pom.xml b/contrib/format-excel/pom.xml
index 0d440ec..ccc9b7d 100644
--- a/contrib/format-excel/pom.xml
+++ b/contrib/format-excel/pom.xml
@@ -52,17 +52,17 @@
     <dependency>
       <groupId>com.github.pjfanning</groupId>
       <artifactId>excel-streaming-reader</artifactId>
-      <version>3.2.6</version>
+      <version>3.3.1</version>
     </dependency>
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-api</artifactId>
-      <version>2.17.0</version>
+      <version>2.17.1</version>
     </dependency>
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-to-slf4j</artifactId>
-      <version>2.17.0</version>
+      <version>2.17.1</version>
     </dependency>
     <!-- Test dependencies -->
     <dependency>