You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jo...@apache.org on 2021/12/20 17:43:28 UTC

[nifi] 04/05: NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9

This is an automated email from the ASF dual-hosted git repository.

joewitt pushed a commit to branch support/nifi-1.15
in repository https://gitbox.apache.org/repos/asf/nifi.git

commit abc45ac67f5dbc49eb0c7567a493c90ee350055c
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Sat Dec 18 14:30:06 2021 -0600

    NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9
    
    NIFI-9505 Upgraded Log4j 2 from 2.16.0 to 2.17.0
    
    Signed-off-by: Chris Sampson <ch...@gmail.com>
    
    This closes #5615
---
 pom.xml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index 21152ae..6cf5ad3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -110,7 +110,7 @@
         <gcs.version>2.1.5</gcs.version>
         <aspectj.version>1.9.6</aspectj.version>
         <jersey.version>2.33</jersey.version>
-        <logback.version>1.2.8</logback.version>
+        <logback.version>1.2.9</logback.version>
         <mockito.version>3.11.2</mockito.version>
         <netty.3.version>3.10.6.Final</netty.3.version>
         <netty.4.version>4.1.69.Final</netty.4.version>
@@ -484,11 +484,11 @@
                 <artifactId>aspectjweaver</artifactId>
                 <version>${aspectj.version}</version>
             </dependency>
-            <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to address CVE-2021-44228 -->
+            <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to multiple vulnerabilities -->
             <dependency>
                 <groupId>org.apache.logging.log4j</groupId>
                 <artifactId>log4j-bom</artifactId>
-                <version>2.16.0</version>
+                <version>2.17.0</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
@@ -783,8 +783,8 @@
                                         <exclude>com.google.code.findbugs:jsr305:*:*:compile</exclude>
                                         <!-- Log4J excluded in favor of log4j-over-slf4j and logback -->
                                         <exclude>log4j:log4j:*</exclude>
-                                        <!-- Ban log4j-core less than 2.15.0 due to Log4Shell vulnerability -->
-                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
+                                        <!-- Ban log4j-core less than 2.17.0 due to multiple vulnerability -->
+                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude>
                                         <!-- Commons Logging excluded in favor of jcl-over-slf4j -->
                                         <exclude>commons-logging:commons-logging:*</exclude>
                                     </excludes>