[jira] [Commented] (QPIDJMS-503) Upgrade log4j dependecy to log4j2

Fri, 15 May 2020 09:13:27 -0700 


    [ 
https://issues.apache.org/jira/browse/QPIDJMS-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17108428#comment-17108428
 ] 

ASF GitHub Bot commented on QPIDJMS-503:
----------------------------------------

gemmellr commented on pull request #36:
URL: https://github.com/apache/qpid-jms/pull/36#issuecomment-629346768


   Thanks Alex, I've applied your changes, along with some further ones of my 
own in 
https://github.com/apache/qpid-jms/commit/1cd565a54b8a0928e61a8ca40432f07ffd1c873b
 that bump it the version up to 2.13.3, fixes some issues, simplifies the 
config a bit, and moves to -test specific file names for the test only configs.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


> Upgrade log4j dependecy to log4j2
> ---------------------------------
>
>                 Key: QPIDJMS-503
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-503
>             Project: Qpid JMS
>          Issue Type: Task
>          Components: qpid-jms-client
>            Reporter: Alex Rudyy
>            Priority: Major
>
> The log4j 1.x reached EOL on August 5, 2015 as per 
> [http://logging.apache.org/log4j/1.2/]. The client is distributes with an 
> optional dependency log4j 1.2.17. There is 
> [CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] raised 
> against this version for class SocketServer that is vulnerable to 
> deserialization of untrusted data. Though, no log4j configuration in the Qpid 
> JMS client uses SocketServer, the open source scanning tools flag the JMS 
> client bundle as being impacted by CVE-2019-17571.
> In order to silence such open source scanning tools the log4j dependencies 
> can be upgraded to log4j2.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to