Conversation
|
Hi, can we merge this soon to patch the CVE? Also would it be better to bump to 2.17+ instead? CC: @jekh |
| <maven-jar-plugin.version>3.0.2</maven-jar-plugin.version> | ||
|
|
||
| <log4j.version>2.9.0</log4j.version> | ||
| <log4j.version>2.15.0</log4j.version> |
There was a problem hiding this comment.
As @vidhem suggests; can we bump up to version 2.17.0 for the reason described:
The Log4j team has been made aware of a security vulnerability, CVE-2021-45105, that has been addressed in Log4j 2.17.0 for Java 8 and up.
I tested your patch locally @YLcoding with both versions 2.15.0 and 2.17.0 with both versions, all unit tests pass except for: net.lightbody.bmp.proxy.BindAddressTest.testClientBindAddressCannotConnect
java.lang.AssertionError: Expected exception: org.apache.http.conn.HttpHostConnectException
Evaluating localHostAddr = InetAddress.getLocalHost() does allow the HTTP client to connect to the proxy and I do not observe the expected UnknownHostException.
twsheehan
left a comment
There was a problem hiding this comment.
Looks good to me, thanks all for the patch!
|
where can I find the jar files for 2.17 release ? |
No description provided.