maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sylwester Lachiewicz (Jira)" <j...@apache.org>
Subject [jira] [Commented] (DOXIA-610) Update doxia-module-fo to not use log4j
Date Thu, 20 Aug 2020 07:46:00 GMT

    [ https://issues.apache.org/jira/browse/DOXIA-610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17180999#comment-17180999
] 

Sylwester Lachiewicz commented on DOXIA-610:
--------------------------------------------

Done in [a3404a296f4657268cb52248ddad9b5d8f252391|https://gitbox.apache.org/repos/asf?p=maven-doxia.git;a=commit;h=a3404a296f4657268cb52248ddad9b5d8f252391]

> Update doxia-module-fo to not use log4j
> ---------------------------------------
>
>                 Key: DOXIA-610
>                 URL: https://issues.apache.org/jira/browse/DOXIA-610
>             Project: Maven Doxia
>          Issue Type: Dependency upgrade
>          Components: Module - FO
>    Affects Versions: 1.9.1
>            Reporter: John Burnham
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>             Fix For: 1.9.2
>
>
> This is critical for a release.  The version of log4j is 1.2.17 and contains the following
security risk:
> [CVE_2020_9488|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488]
> This should be updated to use org.apache.logging.log4j:log4j-core:2.13.2



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message