You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by gi...@apache.org on 2021/12/17 10:28:08 UTC
[sling-site] branch asf-site updated: Automatic website deployment from https://ci-builds.apache.org/job/Sling/job/modules/job/sling-site/job/master/358/
This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/sling-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new a2a0efa Automatic website deployment from https://ci-builds.apache.org/job/Sling/job/modules/job/sling-site/job/master/358/
a2a0efa is described below
commit a2a0efa6857c08ef3840204e405c42824a1ab686
Author: jenkins <bu...@apache.org>
AuthorDate: Fri Dec 17 10:28:06 2021 +0000
Automatic website deployment from https://ci-builds.apache.org/job/Sling/job/modules/job/sling-site/job/master/358/
---
security/log4shell.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/log4shell.html b/security/log4shell.html
index 4b823a8..932fcf0 100644
--- a/security/log4shell.html
+++ b/security/log4shell.html
@@ -97,7 +97,7 @@
Apache Sling advisory regarding CVE-2021-44228 and LOGBACK-1591
</h1><div class="content is-marginless">
<div class="row"><div><section><p>On 9th December 2021, a new zero-day vulnerability for <a href="https://logging.apache.org/log4j/2.x/index.html">Apache Log4j 2</a> was reported. It is tracked under <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">CVE-2021-44228</a> and affects Log4j versions from 2.0.1 (inclusive) to 2.15.0 (exclusive). It is also known under the <em>Log4Shell</em> name.</p>
-<p>Apache Sling modules use the <a href="http://www.slf4j.org">Simple Logging Facade for Java</a> (slf4j) for logging, backed by the <a href="https://github.dev/apache/sling-org-apache-sling-commons-log/">Sling Commons Log bundle</a>. There are no Sling modules using versions of Log4j affected by <em>Log4Shell</em>. The Sling Starter and Sling CMS applications do not include any vulnerable version of the Log4j library.</p>
+<p>Apache Sling modules use the <a href="http://www.slf4j.org">Simple Logging Facade for Java</a> (slf4j) for logging, backed by the <a href="https://github.com/apache/sling-org-apache-sling-commons-log/">Sling Commons Log bundle</a>. There are no Sling modules using versions of Log4j affected by <em>Log4Shell</em>. The Sling Starter and Sling CMS applications do not include any vulnerable version of the Log4j library.</p>
<p>Applications built on top of Apache Sling are not impacted by CVE-2021-44228, provided they do not deploy a vulnerable version of Log4j themselves.</p>
<p>The Sling Commons Log bundle wraps <code>logback-core</code> and <code>logback-classic</code>, but does not allow arbitrary modifications to the <code>logback.xml</code> file and is therefore not vulnerable to the attack described in <a href="https://jira.qos.ch/browse/LOGBACK-1591">LOGBACK-1591</a>.</p>
<p>The Apache Sling PMC recommends that developers and operators of applications built on top of Apache Sling review the libraries they deploy to ensure that they do not include vulnerable versions of Log4j.</p>
@@ -112,7 +112,7 @@
content/security/log4shell.md
</a>
</div> <div class="revisionInfo">
- Last modified by <span class="author">Oliver Lietz</span> on <span class="comment">2021-12-17</span>
+ Last modified by <span class="author">Robert Munteanu</span> on <span class="comment">2021-12-17</span>
</div><p>
Apache Sling, Sling, Apache, the Apache feather logo, and the Apache Sling project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.
</p><p>