You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by "Martijn Visser (Jira)" <ji...@apache.org> on 2021/12/14 08:06:00 UTC
[jira] [Created] (FLINK-25295) Update Log4j to 2.16.0
Martijn Visser created FLINK-25295:
--------------------------------------
Summary: Update Log4j to 2.16.0
Key: FLINK-25295
URL: https://issues.apache.org/jira/browse/FLINK-25295
Project: Flink
Issue Type: Technical Debt
Components: API / Core
Reporter: Martijn Visser
Fix For: 1.15.0, 1.13.5, 1.14.2
Log4j 2.16.0 has been released https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
This version removes message lookups and disables JNDI by default and results in a hardening of the default behaviour and configuration.
Just to be clear, this dependency upgrade is not required to fix CVE-2021-44228. That has already been covered by https://issues.apache.org/jira/browse/FLINK-25240
--
This message was sent by Atlassian Jira
(v8.20.1#820001)