New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please provide an updated point release that includes the fixed log4j vulnerability #29111
Comments
As mentioned in our issue template:
This is already covered by #28984 (and related issues) as well as our dedicated blog post. This will be released on December 23rd. |
That is inaccurate. Spring Boot uses logback by default. The dedicated blog post cover also that using log4j-api and the slf4j bridge (which we provide by convenience) does not trigger any of those vulnerabilities. If you've not opt-in for log4j2, your app is not vulnerable. |
But since even logback is vulnerable my app is vulnerable anyway. So my request was to understand if it was possible to have a very fast turnaround for a new release with upgraded deps. |
You don't need and you shouldn't need to wait for a release to upgrade your use of Logback or Log4J2. The blog post has already all the information that you're asking. |
Right, but since I couldn't find any mention on how to upgrade logback I (wrongly) assumed I couldn't use a similar approach to force the dependency. |
if I understand correctly log4j is automatically used when used in a spring boot project (at least I found it in mine even without asking for it).
Since Log4J released a new 2.17.0 version with fixes for CVE-2021-45046 and CVE-2021-45105 it would be great if you could quickly release an update version that just fixes the dependencies in order to fix our apps in a short time.
The text was updated successfully, but these errors were encountered: