[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [orbit-dev] [cross-project-issues-dev] log4j vulnerability in Eclipse: update to 2.16.0?
|
Thank you, Matthias!
Re-posting your message to collect more feedback regarding:
should we replace 2.15.0 with 2.16.0 in Orbit?
Regards,
AF
12/15/2021 11:06 AM, Matthias Sohn
пишет:
Alexander,
It
would be great to learn vulnerability
clean-up process with Eclipse Orbit team to
then apply it to Eclipse Passage.
There is no Orbit team. Orbit is driven by
project committers using/needing libraries in
Orbit.
I encourage the Eclipse Passage project to
submit a Gerrit review for a newer version.
considering the buzz around this vulnerability I
went ahead and pushed an update to log4j 2.15 for
orbit
note that the required clearlydefined score isn't
reached yet, if this doesn't change soon
maybe someone can contribute the missing
information to clearlydefined or
we file CQs to get the license approval for the new
version
since the log4j project published another release 2.16.0
adding more fixes for CVE-2021-44228
I pushed another update for Orbit:
and contributed curations to the corresponding
clearlydefined entries