You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2021/12/13 19:03:10 UTC

[directory-site] branch master updated: more detailed info about CVE

This is an automated email from the ASF dual-hosted git repository.

smckinney pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/directory-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 6f255f0  more detailed info about CVE
6f255f0 is described below

commit 6f255f086c5a91e51add0a2c68c65013774e4832
Author: Shawn McKinney <sm...@symas.com>
AuthorDate: Mon Dec 13 13:03:06 2021 -0600

    more detailed info about CVE
---
 source/fortress/news.md | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/source/fortress/news.md b/source/fortress/news.md
index 1a97213..31e265f 100644
--- a/source/fortress/news.md
+++ b/source/fortress/news.md
@@ -8,15 +8,16 @@ title: News
 
 The Apache Directory Project announces the release of Fortress - 2.0.7.
 
-This emergency release includes an upgrade to the latest Log4j library, v2.15.0. This is our response to [CVE-2021-44228](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228).
+This emergency release includes an upgrade to the latest Log4j-core library. This is our response to [CVE-2021-44228](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228).
 
-It also includes dependency upgrades for Web and Rest deployments to be up-to-date per the latest OWASP vulnerability scans and a couple of other bug fixes.
+It also includes other dependency upgrades (to latest Spring Security, Apache CXF and Apache Wicket) for Web and Rest dependencies to be up-to-date per the latest OWASP vulnerability scans and a couple of other misc bug fixes.
 
-If using Apache Fortress 2.0.6, in any of your deployments, it is highly recommended moving to this release. Or, following the other mitigation procedures surrounding this CVE.
-
-Previous version of Fortress, before 2.0.6, used Log4j v1, and aren't impacted.
-
-Contact us on our mailing list if you have any questions.
+More info about the Log4Shell vulnerability and Apache Fortress:
+- If using the Apache Fortress Core 2.0.6, no need to upgrade.  It does pull in the Apache Log4j-core lib, but only as a test dependency.  
+- Dependent apps of the Apache Fortress Core 2.0.6 do not need to upgrade because it does not pull in the Log4j-core lib as a compile or runtime dependency.
+- Apache Fortress 2.0.6 Web (Commander) and Rest (Enmasse) deployments are affected.  Upgrade immediately, or follow the mitigation procedures as described by the Apache Log4J project.
+- Previous versions of Apache Fortress, before 2.0.6, did not use Apache Log4j and aren't affected.
+- Contact us on our mailing list if you have any questions.
 
 The Release notes: