You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "Alexey Romanenko (Jira)" <ji...@apache.org> on 2021/04/28 10:11:00 UTC

[jira] [Updated] (BEAM-11055) Update log4j to version 2.14.1

     [ https://issues.apache.org/jira/browse/BEAM-11055?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexey Romanenko updated BEAM-11055:
------------------------------------
    Fix Version/s: 2.30.0
       Resolution: Fixed
           Status: Resolved  (was: Open)

> Update log4j to version 2.14.1
> ------------------------------
>
>                 Key: BEAM-11055
>                 URL: https://issues.apache.org/jira/browse/BEAM-11055
>             Project: Beam
>          Issue Type: Improvement
>          Components: build-system, io-java-elasticsearch
>            Reporter: Ismaël Mejía
>            Assignee: Ismaël Mejía
>            Priority: P3
>             Fix For: 2.30.0
>
>          Time Spent: 11h 40m
>  Remaining Estimate: 0h
>
> Beam uses a version of log4j that is reported by some security tools to have some security issues. Notice that Beam's use of log4j should not be impacted by the issue.
> See [https://nvd.nist.gov/vuln/detail/CVE-2017-5645]
> The update in the vendored grpc module is to ensure it gets updated too in a future release of our vendored dependencies. Notice that this is a runtime dep for users so they are free to provide their own version so less of an issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)