On 14/12/2021 20:51, Brandon Sara wrote:
Should we expect another release (like version 4.3.2) given Log4J updating to
2.16.0 in response to this other CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45046?
Going to the link to the log4j security page, the log4j team rates it as
"moderate" and says it's denial-of-service attack, not code injection
unlike 44228.
Fuseki uses log4j in default configuration.
Fuseki uses logging via slf4j.
Fuseki does not use log4j ThreadContext.
Fuseki does not use %X, %mdc, or %MDC.
The Fuseki logging built-in and default pattern uses plain %m in the
pattern:
[%d{yyyy-MM-dd HH:mm:ss}] %-10c{1} %-5p %m%n
although the user can change the log4j2 configuration to be a
non-default configurations and also set their own logging pattern
locally. that's outside the distributed Fuseki binaries.
Personal opinion: I don't see a need for 4.3.2.
Andy
