You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Martijn Visser (Jira)" <ji...@apache.org> on 2021/12/14 08:06:00 UTC

[jira] [Created] (FLINK-25295) Update Log4j to 2.16.0

Martijn Visser created FLINK-25295:
--------------------------------------

             Summary: Update Log4j to 2.16.0
                 Key: FLINK-25295
                 URL: https://issues.apache.org/jira/browse/FLINK-25295
             Project: Flink
          Issue Type: Technical Debt
          Components: API / Core
            Reporter: Martijn Visser
             Fix For: 1.15.0, 1.13.5, 1.14.2


Log4j 2.16.0 has been released https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4

This version removes message lookups and disables JNDI by default and results in a hardening of the default behaviour and configuration. 

Just to be clear, this dependency upgrade is not required to fix CVE-2021-44228. That has already been covered by https://issues.apache.org/jira/browse/FLINK-25240



--
This message was sent by Atlassian Jira
(v8.20.1#820001)