Update Infinispan image to 11.0.13.Final #326
Conversation
|
The failed test is because of a missing I'm currently checking whether changing the image here is needed at all. It isn't clear yet whether the used native server image is affected by the vulnerability. |
|
Infinispan version 11.0.13 is using version 2.15.0 which is still affected by (CVE-2021-45046). Maybe it's best to only update when infinispan updates to use log4j 2.16.0? |
Signed-off-by: Carsten Lohmann <carsten.lohmann@bosch.io>
calohmn
force-pushed
the
PR/ispn_update
branch
from
2ec5b5e
to
130f15f
Compare
|
It seems the native image is not affected by the vulnerability. Nonetheless, I think we can do the update here and then switch again to the native image version which is supposed to be available again with the coming 13.0.4 version (using log4j 2.16.0 then). @sophokles73 WDYT? |
What information/analysis is this assessment based on? If this assessment is correct, then I tend to agree with @LOorts-Aloxy that we could wait for 13.0.4 to be released and then do the upgrade in one go. |
Discussions in Infinispan chat and infinispan/infinispan-images#67. |
|
No 100% clear statement there though, so merging this to be extra cautious and get the used version here off the radar. We can see this as an intermediate step en route to the 13.0.4 update, to be done once it is available. |
Update Infinispan to version with updated log4j (CVE-2021-44228). Using the non-native image since there are no native versions of the current Infinispan releases.