In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why they want to migrate.
Good news: we've obtained a deadline to 31/01/2022. Are you confident guys that we'll have the 5.17 release for this date or do we have to develop some kind of patch ? Regards, Laurent -----Message d'origine----- De : Jean-Baptiste Onofré <j...@nanthrax.net> Envoyé : lundi 3 janvier 2022 18:00 À : dev@activemq.apache.org Objet : Re: ActiveMQ 5.17 and log4j2 Log4j2 is only impacted, not log4j 1.x. It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell vulnerability. Regards JB On 03/01/2022 17:30, Xeno Amess wrote: > Just show the log4j2 cve list to that customer, and persuade him no hurry to > migrate. > > XenoAmess > ________________________________ > From: JB Onofré <j...@nanthrax.net> > Sent: Monday, January 3, 2022 11:31:30 PM > To: dev@activemq.apache.org <dev@activemq.apache.org> > Subject: Re: ActiveMQ 5.17 and log4j2 > > About 5.16 no way: it’s log4j 1.x > > And log4j 1.x is not impacted by log4shell vulnerability so no need to update. > > Regards > JB > >> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lblanq...@b2btechno.net> a écrit : >> >> Hi Guys, >> >> It seems that the latest version available is still using log4j 1.2.17. >> >> Unfortunately we have a customer who has a strong requisite to migrate to >> log4j2 before 10 of January ! >> >> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j >> 2.17 ? >> >> Regards, >> >> Laurent >
