ppkarwasz opened a new pull request, #40:
URL: https://github.com/apache/logging-site/pull/40

   CVE-2026-49844 covers the `MapMessage.asJson()` code path in Log4j API that 
the CVE-2026-34481 fix in JSON Template Layout 2.25.4 did not reach. It affects 
`log4j-api` `[2.13.1, 2.25.5)`, `[2.26.0, 2.26.1)` and `[3.0.0-alpha1, 
3.0.0-beta2]`, and is fixed in 2.25.5 and 2.26.1.
   
   CVE-2026-34481 is amended to note that an `ObjectMessage`, e.g. one produced 
by `Logger.info(Object)`, is also affected, and to point at the follow-up CVE.
   
   Add a `log4j-api` dummy component to the VDR, bump the BOM version and 
refresh the affected `updated` elements.
   
   Assisted-By: Claude Opus 4.8 (1M context) <[email protected]>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to