[jira] [Work logged] (AVRO-3304) avro-tools Update log4j dependency for critical vulnerability

Fri, 21 Jan 2022 05:40:06 -0800 


     [ 
https://issues.apache.org/jira/browse/AVRO-3304?focusedWorklogId=712869&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-712869
 ]

ASF GitHub Bot logged work on AVRO-3304:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 21/Jan/22 13:39
            Start Date: 21/Jan/22 13:39
    Worklog Time Spent: 10m 
      Work Description: martin-g commented on pull request #1464:
URL: https://github.com/apache/avro/pull/1464#issuecomment-1018513371


   Hi @pjfanning !
   We have updated avro**-tools** to exclude the transitive dependency to log4j 
1.x and added a dependency to reload4j. So log4j could be in the classpath only 
if you add it by other means in your application build configuration, or if it 
comes as a transitive dependency of another dependency.
   But yes, if you have both in the classpath then a random one will be chosen.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@avro.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 712869)
    Time Spent: 2h 20m  (was: 2h 10m)

> avro-tools Update log4j dependency for critical vulnerability
> -------------------------------------------------------------
>
>                 Key: AVRO-3304
>                 URL: https://issues.apache.org/jira/browse/AVRO-3304
>             Project: Apache Avro
>          Issue Type: Task
>          Components: tools
>    Affects Versions: 1.11.0
>            Reporter: Daniel Nash
>            Assignee: Ryan Skraba
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.11.1, 1.12.0
>
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> Our company security is having a fit because Nessus scans are triggering on 
> the bundled log4j in the avro-tools.jar.  Please update the log4j 
> dependencies to the latest versions to remove the critical vulnerability 
> present in the currently bundled log4j.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to