Hello With https://github.com/ops4j/org.ops4j.pax.logging/issues/416, Pax Logging 2.0.12 and 1.11.11 already use Log4j2 2.16.0.
regards Grzegorz Grzybek śr., 15 gru 2021 o 07:36 Serge Huber <shu...@jahia.com.invalid> napisał(a): > Given that log2j 2.15.0 has been found to have a Denial of service should > we re-release with 2.16.0 ? > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 > > Note that previous mitigations involving configuration such as to set the > system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this > specific vulnerability. Log4j 2.16.0 fixes this issue by removing support > for message lookup patterns and disabling JNDI functionality by default. > This issue can be mitigated in prior releases (<2.16.0) by removing the > JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class). > > Regards, > Serge... > > Serge Huber > CTO & Co-Founder > T +41 22 361 3424 > 9 route des Jeunes | 1227 Acacias | Switzerland > jahia.com <http://www.jahia.com/> > SKYPE | LINKEDIN <https://www.linkedin.com/in/sergehuber> | TWITTER > <https://twitter.com/sergehuber> | VCARD > <http://www.jahia.com/vcard/HuberSerge.vcf> > > > > JOIN OUR COMMUNITY <http://www.jahia.com/> to evaluate, get trained and > to discover why Jahia is a leading User Experience Platform (UXP) for > Digital Transformation. > > > On Wed, Dec 15, 2021 at 7:28 AM Francois Papon < > francois.pa...@openobject.fr> > wrote: > > > +1 (binding) > > > > Thanks JB! > > > > regards, > > > > Francois > > > > On 15/12/2021 05:43, JB Onofré wrote: > > > Hi everyone, > > > > > > I submit Apache Karaf runtime 4.3.4 to your vote (take #3). > > > > > > This release includes dependency upgrades, fixes, and improvements, > > especially: > > > > > > - upgrade to Pax Logging 2.0.12, upgrading to log4j2 2.0.15, fixing > > important security issue (CVE-2021-44228) and fixing JNDI issue > > > - align dependencies versions between Karaf and Pax * > > > - fix missing system export packages > > > - fix on Karaf features json support > > > - fix features autoRefresh configuration handling > > > - fix on sshd session handling > > > - update to sshd 2.8.0 > > > - lot of pax * updates > > > - and much more ! > > > > > > Please take a look on Release Notes for details ! > > > > > > Release Notes: > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350547 > > > > > > Staging Maven Repository: > > > > https://repository.apache.org/content/repositories/orgapachekaraf-1165/ > > > > > > Staging Dist Repository: > > > https://dist.apache.org/repos/dist/dev/karaf/4.3.4/ > > > > > > Git tag: > > > karaf-4.3.4 > > > > > > Please vote to approve this release: > > > > > > [ ] +1 Approve the release > > > [ ] -1 Don't approve the release (please provide specific comments) > > > > > > This vote will be open for at least 72 hours. > > > > > > Regards > > > JB > > > > > >