This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch release-2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/release-2.x by this push:
new c6a20c6cdc Update security page to reflect that config access won't
qualify
c6a20c6cdc is described below
commit c6a20c6cdccbf5b92e2eb666c7b2fbd9042f8b5f
Author: Volkan Yazıcı <[email protected]>
AuthorDate: Fri Feb 3 14:28:39 2023 +0100
Update security page to reflect that config access won't qualify
---
src/site/markdown/security.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index 4cf9320cc6..2b5d7386cd 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -42,7 +42,9 @@ Log4j [Users mailing list](mail-lists.html).
If you have encountered an unlisted security vulnerability or other unexpected
behaviour
that has security impact, or if the descriptions here are incomplete, please
report them
-privately to the [Log4j Security Team](mailto:[email protected]).
Thank you!
+privately to [the Log4j Security Team](mailto:[email protected]).
+Note that reports assuming attacker's access to the Log4j configuration will
not qualify as a vulnerability.
+Thank you for your understanding and help!
<a name="CVE-2021-44832"/><a name="cve-2021-44832"/>
## <a name="log4j-2.17.1"/> Fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7)
and 2.3.2 (Java 6)
