You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Paul King (Jira)" <ji...@apache.org> on 2021/12/19 03:36:00 UTC

[jira] [Updated] (GROOVY-10425) Bump log4j2 version to 2.17.0 (test dependency)

     [ https://issues.apache.org/jira/browse/GROOVY-10425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Paul King updated GROOVY-10425:
-------------------------------
    Description: 
Groovy doesn't bundle a version of Log4j in its distribution nor list it as a dependency in its pom (or bom), so isn't directly affected by CVE-2021-45105 (see https://logging.apache.org/log4j/2.x/security.html).

However Groovy users using the Log4j2 AST transform (or using Log4j2 directly) may wish to update there version of Log4j or note the security workarounds mentioned in the above security vulnerability link.

See also:
* LOG4J2-3230: Fix string substitution recursion
* LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'
* LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin
* LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters
* LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514
* LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol to TCP
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

> Bump log4j2 version to 2.17.0 (test dependency)
> -----------------------------------------------
>
>                 Key: GROOVY-10425
>                 URL: https://issues.apache.org/jira/browse/GROOVY-10425
>             Project: Groovy
>          Issue Type: Dependency upgrade
>            Reporter: Paul King
>            Priority: Major
>
> Groovy doesn't bundle a version of Log4j in its distribution nor list it as a dependency in its pom (or bom), so isn't directly affected by CVE-2021-45105 (see https://logging.apache.org/log4j/2.x/security.html).
> However Groovy users using the Log4j2 AST transform (or using Log4j2 directly) may wish to update there version of Log4j or note the security workarounds mentioned in the above security vulnerability link.
> See also:
> * LOG4J2-3230: Fix string substitution recursion
> * LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'
> * LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin
> * LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters
> * LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514
> * LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol to TCP
> * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105



--
This message was sent by Atlassian Jira
(v8.20.1#820001)