We are not vulnerable to those issues as they are in log4j-core and we don't use that in the 1.x line. Why would we need to upgrade libs that are not dependent?
On Thu, Jan 13, 2022 at 6:47 AM Sandeep Moré <[email protected]> wrote: > Awesome! that sounds great Sandor, thanks! > > On Thu, Jan 13, 2022 at 5:46 AM Sandor Molnar <[email protected]> > wrote: > >> Hi folks, >> >> with our recent v1.6.1 release (an announcement is about to be sent out) >> we >> are on 2.16.0 to mitigate the infamous CVE-2021-44228 >> <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> security vulnerability. >> However, there were subsequent security issues found and those >> problems were addressed in later versions. For more information please >> read >> Log4J's security vulnerability page: >> https://logging.apache.org/log4j/2.x/security.html >> >> I'm proposing to kick off a new 1.6.2 release that includes the fix for >> https://issues.apache.org/jira/browse/KNOX-2702. >> >> Any objection? >> >> Cheers, >> Sandor >> >
