This is an automated email from the ASF dual-hosted git repository. chriss pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push: new bda48b3 NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9 bda48b3 is described below commit bda48b3f87ad11ffcee54cd465ae6384c26fa3f1 Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Sat Dec 18 14:30:06 2021 -0600 NIFI-9504 Upgraded Logback from 1.2.8 to 1.2.9 NIFI-9505 Upgraded Log4j 2 from 2.16.0 to 2.17.0 Signed-off-by: Chris Sampson <chris.sampso...@gmail.com> This closes #5615 --- pom.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index 02c94b2..e447221 100644 --- a/pom.xml +++ b/pom.xml @@ -111,7 +111,7 @@ <gcs.version>2.1.5</gcs.version> <aspectj.version>1.9.6</aspectj.version> <jersey.version>2.33</jersey.version> - <logback.version>1.2.8</logback.version> + <logback.version>1.2.9</logback.version> <mockito.version>3.11.2</mockito.version> <netty.3.version>3.10.6.Final</netty.3.version> <netty.4.version>4.1.69.Final</netty.4.version> @@ -485,11 +485,11 @@ <artifactId>aspectjweaver</artifactId> <version>${aspectj.version}</version> </dependency> - <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to address CVE-2021-44228 --> + <!-- Override log4j-core and related Log4j 2 libraries for transitive dependencies to multiple vulnerabilities --> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-bom</artifactId> - <version>2.16.0</version> + <version>2.17.0</version> <scope>import</scope> <type>pom</type> </dependency> @@ -795,8 +795,8 @@ <exclude>com.google.code.findbugs:jsr305:*:*:compile</exclude> <!-- Log4J excluded in favor of log4j-over-slf4j and logback --> <exclude>log4j:log4j:*</exclude> - <!-- Ban log4j-core less than 2.15.0 due to Log4Shell vulnerability --> - <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude> + <!-- Ban log4j-core less than 2.17.0 due to multiple vulnerability --> + <exclude>org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude> <!-- Commons Logging excluded in favor of jcl-over-slf4j --> <exclude>commons-logging:commons-logging:*</exclude> </excludes>