Skip to content

Update log4j-core and log4j-api dependencies to 2.15.0 #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 10, 2021
Merged

Update log4j-core and log4j-api dependencies to 2.15.0 #285

merged 1 commit into from
Dec 10, 2021

Conversation

carlzogh
Copy link
Contributor

Description of changes:

  • Update log4j-core and log4j-api dependencies to 2.15.0
  • Stage update to aws-lambda-java-log4j2 version 1.3.0

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

msailes
msailes approved these changes Dec 10, 2021
View reviewed changes
Copy link
Collaborator

@msailes msailes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@carlzogh carlzogh merged commit af945fa into aws:master Dec 10, 2021
@berry120
Copy link

@msailes Will new versions of these libraries be published to maven shortly with the updated log4j2 deps? (Don't wish to push, just trying to work out the best way of handling this internally given the 0 day!)

@carlzogh
Copy link
Contributor Author

@berry120 the publish to Maven is happening right now, thanks for insisting on the highest standards!

@sndl
Copy link

sndl commented Dec 10, 2021
edited
Loading

@carlzogh looks like it wasn't published, 1.3.0 is still missing in maven. This step is marked as failed on the commit: "AWS CodeBuild eu-west-1 (CodeCommitSync-aws-lambda-java-libs)"

@berry120
Copy link

@msailes Without wishing this to become a common thing (!) is it worth now making a similar PR for log4j 2.16.0? No known 0 day as of yet with 2.15.0 of course, but 2.16.0 goes a step further with security that should help to prevent similar, as of yet unknown exploits. If so then happy to create the PR.

@msailes
Copy link
Collaborator

msailes commented Dec 14, 2021

@berry120 Thanks for the comment, I'll pass this onto the team.

@danotorrey danotorrey mentioned this pull request Dec 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msailes msailes msailes approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@carlzogh @berry120 @sndl @msailes