Users have a valid mitigation that is easy to apply (that sys prop =true), and they could upgrade Log4j themselves if they are extra paranoid (e.g. corp mandates, which I am familiar with). So I think no further action by our project is necessary.
(Merry Christmas to you all) On Fri, Dec 24, 2021 at 11:11 AM Shawn Heisey <[email protected]> wrote: > On 12/24/2021 5:12 AM, Jan Høydahl wrote: > > Merry Christmas to all fellow committers and the wider community! > > > > If there are no plans of (quickly) releasing a 7.7.4 with all known > vulnerabilities fixed, I propose we publish a statement that 7.x is > officially not supported and urge users to upgrade to 8.11. > > I agree. 7.x is in maintenance mode until 9.0 is released, and users > have a few options for a workaround. If patching and recompiling were > the only option for users to fix the problem themselves, then I think we > would need to make a new release. > > Thanks, > Shawn > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Sent from Gmail Mobile
