Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump log4j-core and log4j-api from 2.15.0 to 2.16.0 #6079

Merged
merged 1 commit into from Dec 15, 2021
Merged

Bump log4j-core and log4j-api from 2.15.0 to 2.16.0 #6079

merged 1 commit into from Dec 15, 2021

Conversation

juanluisrp
Copy link
Contributor

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete
in certain non-default configurations.

As far as we know GeoNetwork doesn't use any of these pattern layouts but anyway this
commit updates log4j to 2.16.0 that fixes the new CVE-2021-45046 disabling access to
JNDI by default and removing the message lookups feature.

@juanluisrp
Bump log4j-core and log4j-api from 2.15.0 to 2.16.0
a48be11 
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete
in certain non-default configurations.

As far as we know GeoNetwork doesn't use any of these pattern layouts but anyway this
commit updates log4j to 2.16.0 that fixes the new CVE-2021-45046 disabling access to
JNDI by default and removing the message lookups feature.
@juanluisrp juanluisrp added dependencies Pull requests that update a dependency file backport 3.10.x backport 3.12.x labels Dec 15, 2021
@juanluisrp juanluisrp mentioned this pull request Dec 15, 2021
Closed
@josegar74 josegar74 merged commit 8f4d22f into geonetwork:main Dec 15, 2021
josegar74 pushed a commit that referenced this pull request Dec 15, 2021
@juanluisrp @josegar74
[BP] Bump log4j-core and log4j-api from 2.15.0 to 2.16.0 (#6079)
7aa243f 
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete
in certain non-default configurations.

As far as we know GeoNetwork doesn't use any of these pattern layouts but anyway this
commit updates log4j to 2.16.0 that fixes the new CVE-2021-45046 disabling access to
JNDI by default and removing the message lookups feature.
josegar74 pushed a commit that referenced this pull request Dec 15, 2021
@juanluisrp @josegar74
[BP] Bump log4j-core and log4j-api from 2.15.0 to 2.16.0 (#6079)
7a79310 
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete
in certain non-default configurations.

As far as we know GeoNetwork doesn't use any of these pattern layouts but anyway this
commit updates log4j to 2.16.0 that fixes the new CVE-2021-45046 disabling access to
JNDI by default and removing the message lookups feature.
josegar74 pushed a commit that referenced this pull request Dec 17, 2021
@juanluisrp @josegar74
[BP] Bump log4j-core and log4j-api from 2.15.0 to 2.16.0 (#6079)
6f29559 
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete
in certain non-default configurations.

As far as we know GeoNetwork doesn't use any of these pattern layouts but anyway this
commit updates log4j to 2.16.0 that fixes the new CVE-2021-45046 disabling access to
JNDI by default and removing the message lookups feature.
josegar74 pushed a commit that referenced this pull request Dec 17, 2021
@juanluisrp @josegar74
[BP] Bump log4j-core and log4j-api from 2.15.0 to 2.16.0 (#6079)
f329f5c 
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete
in certain non-default configurations.

As far as we know GeoNetwork doesn't use any of these pattern layouts but anyway this
commit updates log4j to 2.16.0 that fixes the new CVE-2021-45046 disabling access to
JNDI by default and removing the message lookups feature.
josegar74 pushed a commit that referenced this pull request Dec 17, 2021
@juanluisrp @josegar74
[BP] Bump log4j-core and log4j-api from 2.15.0 to 2.16.0 (#6079)
ed9b2e5 
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete
in certain non-default configurations.

As far as we know GeoNetwork doesn't use any of these pattern layouts but anyway this
commit updates log4j to 2.16.0 that fixes the new CVE-2021-45046 disabling access to
JNDI by default and removing the message lookups feature.
@juanluisrp juanluisrp mentioned this pull request Jan 18, 2022
Open
@juanluisrp juanluisrp mentioned this pull request Apr 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josegar74 josegar74 josegar74 approved these changes

@jahow jahow Awaiting requested review from jahow

Assignees
No one assigned
Labels
backport 3.10.x backport 3.12.x dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@juanluisrp @josegar74