Skip to content

Fix critical vulnerability in log4j #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 10, 2021
Merged

Fix critical vulnerability in log4j #207

merged 1 commit into from
Dec 10, 2021

Conversation

@stigkj
Copy link
Contributor

@stigkj stigkj commented Dec 10, 2021

There is a critical vulnerability in Log4j, more information here:
https://www.lunasec.io/docs/blog/log4j-zero-day/

@stigkj
Fix critical vulnerability in log4j
3e453ff 
There is a critical vulnerability in Log4j, more information here:
https://www.lunasec.io/docs/blog/log4j-zero-day/
@hudson155
Copy link

hudson155 commented Dec 10, 2021

LGTM – thanks for doing this

@oshai
Copy link
Owner

oshai commented Dec 10, 2021

Thanks for the PR!

@oshai oshai merged commit 8e7b55e into oshai:master Dec 10, 2021
@oshai oshai mentioned this pull request Dec 10, 2021
Closed
@edeak
Copy link

edeak commented Dec 10, 2021

@hudson155 do you guys have an ETA for rolling this out to a release?

@oshai
Copy link
Owner

oshai commented Dec 11, 2021

I am releasing 2.1.16 with the change now. Note that since this is only a test dep it's not transitive so need really needed by users of the lib.

@nippip
Copy link

nippip commented Dec 13, 2021

I am releasing 2.1.16 with the change now. Note that since this is only a test dep it's not transitive so need really needed by users of the lib.

@oshai Would you mind elaborating on your statement above and point to some code snips to better understand how this is or is not affecting users of the lib?

@oshai
Copy link
Owner

oshai commented Dec 13, 2021
edited
Loading

I am releasing 2.1.16 with the change now. Note that since this is only a test dep it's not transitive so need really needed by users of the lib.

@oshai Would you mind elaborating on your statement above and point to some code snips to better understand how this is or is not affecting users of the lib?

kotlin-logging is a facade (similar to slf4j) means it only wraps the implementation you choose as a logging framework.
Popular implementations are logback and log4j.
On the tests of kotlin-logging we needed an actual implementation to use. We could write our own mocks but it makes more sense to take an actual impl for that to reflect how users use the lib. So kotlin-logging depends on log4j for testing only.
Example of such tests can be seen here.
You can see the dependency here:
image

It means that this dependency does not pass transitively to users of kotlin-logging, and therfore users don't need to upgrade kotlin-logging itself. You can also see that in the pom that is generated for kotlin-logging.
For people to feel more safe and for our own safety (when running tests) we upgraded kotlin-logging dependency on log4j.
So it's not really needed, but I will not stop you from upgrading.

Hope that clears things a bit more. You can see some more info on the issue #206.

@stigkj stigkj deleted the log4j-vulnerability branch December 17, 2021 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@stigkj @hudson155 @oshai @edeak @nippip