You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/05/17 14:03:00 UTC
[jira] [Work logged] (ARTEMIS-3839) Upgrade jboss-logging 3.4.3.Final dependency due to false-positive vulnerability reports
[ https://issues.apache.org/jira/browse/ARTEMIS-3839?focusedWorklogId=771367&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-771367 ]
ASF GitHub Bot logged work on ARTEMIS-3839:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 17/May/22 14:02
Start Date: 17/May/22 14:02
Worklog Time Spent: 10m
Work Description: enkeys opened a new pull request, #4084:
URL: https://github.com/apache/activemq-artemis/pull/4084
Upgrade jboss-logging 3.4.3.Final dependency due to false-positive vulnerability reports
Minor upgrade for jboss-logging from 3.4.3 to 3.5.0
Patch upgrade for jboss-logging-annotations from 2.2.0.Final to 2.2.1.Final
Patch upgrade for jboss-logging-processor from 2.2.0.Final to 2.2.1.Final
Issue Time Tracking
-------------------
Worklog Id: (was: 771367)
Remaining Estimate: 0h (was: 10m)
Time Spent: 10m
> Upgrade jboss-logging 3.4.3.Final dependency due to false-positive vulnerability reports
> -----------------------------------------------------------------------------------------
>
> Key: ARTEMIS-3839
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3839
> Project: ActiveMQ Artemis
> Issue Type: Dependency upgrade
> Components: Broker
> Affects Versions: 2.22.0
> Reporter: Dominik Lenoch
> Priority: Minor
> Original Estimate: 10m
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Upgrade org.jboss.logging:jboss-logging due to dependency on old version of log4j with known vulnerabilities. These vulnerabilities do not apply to jboss-logging, log4j is only used there for facades, but the scan reports false positive vulnerabilities due to this.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)