Bump log4j to 2.17.0

[pcoelho-coveo]

Version 2.17.0 fixes the issue CVE-2021-45105

[garydgregory]

Simple enough ;-)

[pcoelho-coveo]

Hi @garydgregory, do we have a date to the next release? My team would love to upgrade our current version to the one that has this fix.

Thanks.

[ok2c]

@pcoelho-coveo Why would you need this fix? HttpClient runtime does not depend on log4j2-core.

[pcoelho-coveo]

Yeah I am aware of that. We have an internal tool that scan our dependencies and it is currently flagging our http client dependency, even though the log4j is used only on the tests and is not included on our classpath.

[ok2c]

@pcoelho-coveo You should consider fixing the tool.

[michael-o]

@pcoelho-coveo You should consider fixing the tool.

Same shit from commercial scanners over and over again. A colleague of mine was requested to patch the following file: log4j-....pom

@ok2c If course we can fix that, the release manager receives a payment for the release from @pcoelho-coveo employer.

[garydgregory]

Hi @garydgregory, do we have a date to the next release? My team would love to upgrade our current version to the one that has this fix.

Thanks.

You should use 2.17.1, it's been available for a while now.