You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Matt Sicker (Jira)" <ji...@apache.org> on 2022/11/17 00:26:00 UTC

[jira] [Resolved] (LOG4J2-3636) Vulnerability with log4j2 dependency

     [ https://issues.apache.org/jira/browse/LOG4J2-3636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Sicker resolved LOG4J2-3636.
---------------------------------
    Resolution: Invalid

Being a library dependency, the end user always has control over the final versions of transitive dependencies being pulled into their project. We keep dependencies up to date between releases to ensure forward compatibility, too.

> Vulnerability with log4j2 dependency
> ------------------------------------
>
>                 Key: LOG4J2-3636
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3636
>             Project: Log4j 2
>          Issue Type: Bug
>    Affects Versions: 2.19.0
>            Reporter: Sasikumar Muthukrishnan Sampath
>            Priority: Major
>
> The following vulnerability is associated with log4j2 2.19.0 version. This is coming from jackson-databind and the fix for this issue is available with jackson 2.13.4.1 and 2.14.0 versions. Please upgrade the jackson dependency on log4j.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)