You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2020/06/17 20:50:00 UTC
[jira] [Commented] (DOXIA-610) Update doxia-module-fo to use latest
log4j
[ https://issues.apache.org/jira/browse/DOXIA-610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17138823#comment-17138823 ]
Elliotte Rusty Harold commented on DOXIA-610:
---------------------------------------------
That's not possible. org.apache.logging.log4j:log4j-core:2.13.2 is ont Java 7 compatible. Perhaps an earlier version is?
[INFO] Restricted to JDK 1.7 yet org.apache.logging.log4j:log4j-api:jar:2.13.2:runtime contains org/apache/logging/log4j/util/LoaderUtil$1.class targeted to JDK 8
[INFO] Restricted to JDK 1.7 yet org.apache.logging.log4j:log4j-core:jar:2.13.2:runtime contains org/apache/logging/log4j/core/appender/SocketAppender$Builder.class targeted to JDK 8
[WARNING] Rule 0: org.apache.maven.plugins.enforcer.EnforceBytecodeVersion failed with message:
Found Banned Dependency: org.apache.logging.log4j:log4j-api:jar:2.13.2
Found Banned Dependency: org.apache.logging.log4j:log4j-core:jar:2.13.2
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
> Update doxia-module-fo to use latest log4j
> ------------------------------------------
>
> Key: DOXIA-610
> URL: https://issues.apache.org/jira/browse/DOXIA-610
> Project: Maven Doxia
> Issue Type: Dependency upgrade
> Components: Module - FO
> Affects Versions: 1.9.1
> Reporter: John Burnham
> Priority: Critical
>
> This is critical for a release. The version of log4j is 1.2.17 and contains the following security risk:
> [CVE_2020_9488|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488]
> This should be updated to use org.apache.logging.log4j:log4j-core:2.13.2
--
This message was sent by Atlassian Jira
(v8.3.4#803005)