SpComb commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-993560912
> I'm not quite sure what that means or where we should continue the discussion about that, if it s a new attack vector etc. This should really have been reported privately, or at the minimum via a separate GitHub issue, rather than via a public GitHub PR comment. For anyone else that may come across similar follow-up issues, I suggest you follow the instructions on the log4j project website, and use the priv...@logging.apache.org email address: https://logging.apache.org/log4j/2.x/security.html > If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the [Log4j Security Team](priv...@logging.apache.org). Thank you. If this does turn out to be a new attack vector, it probably needs a new CVE number. I've attempted to contact the relevant security contacts to take this further, I don't know what else to do. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org