more detailed info about CVE

source/fortress/news.md

@@ -8,15 +8,16 @@ title: News
 
 The Apache Directory Project announces the release of Fortress - 2.0.7.
 
-This emergency release includes an upgrade to the latest Log4j library, v2.15.0. This is our response to [CVE-2021-44228](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228).
+This emergency release includes an upgrade to the latest Log4j-core library. This is our response to [CVE-2021-44228](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228).
 
-It also includes dependency upgrades for Web and Rest deployments to be up-to-date per the latest OWASP vulnerability scans and a couple of other bug fixes.
+It also includes other dependency upgrades (to latest Spring Security, Apache CXF and Apache Wicket) for Web and Rest dependencies to be up-to-date per the latest OWASP vulnerability scans and a couple of other misc bug fixes.
 
-If using Apache Fortress 2.0.6, in any of your deployments, it is highly recommended moving to this release. Or, following the other mitigation procedures surrounding this CVE.
-
-Previous version of Fortress, before 2.0.6, used Log4j v1, and aren't impacted.
-
-Contact us on our mailing list if you have any questions.
+More info about the Log4Shell vulnerability and Apache Fortress:
+- If using the Apache Fortress Core 2.0.6, no need to upgrade.  It does pull in the Apache Log4j-core lib, but only as a test dependency.  
+- Dependent apps of the Apache Fortress Core 2.0.6 do not need to upgrade because it does not pull in the Log4j-core lib as a compile or runtime dependency.
+- Apache Fortress 2.0.6 Web (Commander) and Rest (Enmasse) deployments are affected.  Upgrade immediately, or follow the mitigation procedures as described by the Apache Log4J project.
+- Previous versions of Apache Fortress, before 2.0.6, did not use Apache Log4j and aren't affected.
+- Contact us on our mailing list if you have any questions.
 
 The Release notes: