[jira] [Resolved] (GROOVY-11824) Bump log4j2 version to 2.25.3 (test dependency)

Paul King (Jira) Tue, 23 Dec 2025 15:08:09 -0800


     [ 
https://issues.apache.org/jira/browse/GROOVY-11824?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Paul King resolved GROOVY-11824.
--------------------------------
    Fix Version/s: 4.0.30
                   5.0.4
       Resolution: Fixed

> Bump log4j2 version to 2.25.3 (test dependency)
> -----------------------------------------------
>
>                 Key: GROOVY-11824
>                 URL: https://issues.apache.org/jira/browse/GROOVY-11824
>             Project: Groovy
>          Issue Type: Dependency upgrade
>            Reporter: Paul King
>            Assignee: Paul King
>            Priority: Minor
>             Fix For: 4.0.30, 5.0.4
>
>
> Groovy doesn't bundle a version of Log4j in its distribution nor list it as a 
> dependency in its pom (or bom), so isn't directly affected by CVE-2021-44832 
> (see https://logging.apache.org/log4j/2.x/security.html).
> However Groovy users using the Log4j2 AST transform (or using Log4j2 
> directly) may wish to update there version of Log4j or note the security 
> workarounds mentioned in the above security vulnerability link.
> See also:
> * LOG4J2-3293: JDBC Appender should use JNDI Manager and JNDI access should 
> be limited
> * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (GROOVY-11824) Bump log4j2 version to 2.25.3 (test dependency)

Reply via email to