You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by GitBox <gi...@apache.org> on 2021/12/13 13:54:45 UTC

[GitHub] [camel-website] davsclaus commented on a change in pull request #714: Blog about Apache Camel and the log4j security issue

davsclaus commented on a change in pull request #714:
URL: https://github.com/apache/camel-website/pull/714#discussion_r767777466



##########
File path: content/blog/2021/12/log4j2/index.md
##########
@@ -0,0 +1,58 @@
+---
+title: "Apache Camel and CVE-2021-44228 (log4j)"
+date: 2021-12-13
+draft: false
+authors: [davsclaus]
+categories: ["security"]
+preview: "Apache Camel and CVE-2021-44228 (log4j)"
+---
+
+### Apache Camel is NOT using log4j for production
+
+Apache Camel does not directly depend on Log4j 2, 
+so we are not affected by CVE-2021-44228. 
+
+If you explicitly added the Log4j 2 dependency to your own applications,
+make sure to upgrade.
+
+### Apache Camel is using log4j for testing itself
+
+Apache Camel does use log4j during testing itself, and therefore you
+can find that we have been using log4j v2.13.3 release in our latest LTS releases
+Camel 3.7.6, 3.11.4. 
+
+In the `camel-dependencies` BOM we extract all the 3rd party dependency
+version that was used for building and testing the release:
+
+    <log4j2-version>2.13.3</log4j2-version>
+
+In the upcoming LTS releases 3.14.0, 3.11.5, and 3.7.7 we have upgraded to
+log4j 2.15.0. For future releases then we plan to filter out testing
+dependencies in the `camel-dependencies` BOM, meaning that `log4j2-version`
+will no longer be included.
+
+### 3rd party components with transitive dependency on log4j-core
+
+There are two Camel components, camel-nsq and camel-corda which has
+dependency on log4j-core by their 3rd party library. Those libraries
+does not active use log4j-core, but rely only on log4j-api, so the maintainers

Review comment:
       Ah yeah good to catch those typos, feel free to edit as this is a blog announcement from all of us.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org