You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ol...@apache.org on 2021/12/17 07:44:25 UTC
[sling-site] branch master updated: add links, fix bundle name and style
This is an automated email from the ASF dual-hosted git repository.
olli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-site.git
The following commit(s) were added to refs/heads/master by this push:
new 8af4dff add links, fix bundle name and style
8af4dff is described below
commit 8af4dffb109d0d49a5b87f906b5010a6b6c63a5a
Author: Oliver Lietz <ol...@apache.org>
AuthorDate: Fri Dec 17 08:43:45 2021 +0100
add links, fix bundle name and style
---
src/main/jbake/content/security/log4shell.md | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/main/jbake/content/security/log4shell.md b/src/main/jbake/content/security/log4shell.md
index 6237914..45a554e 100644
--- a/src/main/jbake/content/security/log4shell.md
+++ b/src/main/jbake/content/security/log4shell.md
@@ -5,19 +5,19 @@ tags=security
tableOfContents=false
~~~~~~
-On 9th December 2021, a new zero-day vulnerability for Apache Log4j was reported. It is tracked under [CVE-2021-44228](
+On 9th December 2021, a new zero-day vulnerability for [Apache Log4j 2](https://logging.apache.org/log4j/2.x/index.html) was reported. It is tracked under [CVE-2021-44228](
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) and affects Log4j versions from 2.0.1 (inclusive) to 2.15.0
-(exclusive). It is also known under the 'log4shell' name.
+(exclusive). It is also known under the *Log4Shell* name.
-Apache Sling modules use the Simple Logging Facade for Java (slf4j) for logging, backed by the [Sling Commons OSGi
-bundle](https://github.dev/apache/sling-org-apache-sling-commons-log/).There are no Sling modules using versions of Log4j
-affected by log4shell. The Sling Starter and Sling CMS applications do not include any vulnerable version of the Log4j library.
+Apache Sling modules use the [Simple Logging Facade for Java](http://www.slf4j.org) (slf4j) for logging, backed by the [Sling Commons Log
+bundle](https://github.dev/apache/sling-org-apache-sling-commons-log/). There are no Sling modules using versions of Log4j
+affected by *Log4Shell*. The Sling Starter and Sling CMS applications do not include any vulnerable version of the Log4j library.
Applications built on top of Apache Sling are not impacted by CVE-2021-44228, provided they do not deploy
-a vulnerable version of log4j themselves.
+a vulnerable version of Log4j themselves.
-The Sling Commons OSGi bundle wraps logback-core and logback-classic, but does not allow arbitrary modifications to
-the logback.xml file and is therefore not vulnerable to the attack described in [LOGBACK-1591](https://jira.qos.ch/browse/LOGBACK-1591) .
+The Sling Commons Log bundle wraps `logback-core` and `logback-classic`, but does not allow arbitrary modifications to
+the `logback.xml` file and is therefore not vulnerable to the attack described in [LOGBACK-1591](https://jira.qos.ch/browse/LOGBACK-1591).
The Apache Sling PMC recommends that developers and operators of applications built on top of Apache Sling review the libraries they
-deploy to ensure that they do not include vulnerable versions of Log4j.
\ No newline at end of file
+deploy to ensure that they do not include vulnerable versions of Log4j.