Re: [orbit-dev] [cross-project-issues-dev] log4j vulnerability in Eclips

[Alexander Fedorov <alexander.fedorov@xxxxxxxxxx>]

Hello,

Some hours ago I've found that Orbit still contributes the log4j 
vulnerability to the SimRel

Thanks to Jonah, the situation is better, now we have updated Orbit with 
log4j 2.15.0

But shouldn't we hold a train a bit to use the latest fix from Orbit 
that provides log4j 2.17.1?

Regards,
AF

12/18/2021 4:19 PM, Andrey Loskutov пишет:
> After update is before update...
>
> log4j has now 2.17.0.
> https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105
>
>
> Am 15. Dezember 2021 12:03:21 MEZ schrieb Alexander Fedorov <alexander.fedorov@xxxxxxxxxx>:
> > Thank you, Andrey!
> >
> > Just merged https://git.eclipse.org/r/c/orbit/orbit-recipes/+/188862
> > Will be working to provide Eclipse Passage 2.2.2 service release.
> >
> > Regards,
> > AF
> >
> > 12/15/2021 1:38 PM, Andrey Loskutov пишет:
> > > +1 from me.
> > > The hype is too big.
> > >
> > > Re-posting your message to collect more feedback regarding:
> > > should we replace 2.15.0 with 2.16.0 in Orbit?
> > >
> > > _______________________________________________
> > > cross-project-issues-dev mailing list
> > > cross-project-issues-dev@xxxxxxxxxxx
> > > To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
> --
> Kind regards,
> Andrey Loskutov
>
> https://www.eclipse.org/user/aloskutov
> Спасение утопающих - дело рук самих утопающих