From 0ffe93385e33f64d44c98c7e227a9c817a16b5ae Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Mon, 20 Dec 2021 10:00:39 +0100 Subject: [PATCH] Update Log4j to 2.17.0 This is required following discovery of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105 Fixes #19360 --- .../resolve/ScriptDependencyResolveIntegrationTest.groovy | 6 +++--- .../gradle/internal/logging/util/Log4jBannedVersion.java | 4 ++-- .../org/gradle/scala/ScalaPluginIntegrationTest.groovy | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy b/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy index f253edd20f2d..6cfdd95ae4a8 100644 --- a/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy +++ b/subprojects/dependency-management/src/integTest/groovy/org/gradle/integtests/resolve/ScriptDependencyResolveIntegrationTest.groovy @@ -95,7 +95,7 @@ rootProject.name = 'testproject' @Issue("gradle/gradle#19300") def 'carries implicit constraint for log4j-core'() { given: - mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.16.0').publish() + mavenRepo().module('org.apache.logging.log4j', 'log4j-core', '2.17.0').publish() and: settingsFile << """ @@ -120,7 +120,7 @@ rootProject.name = 'testproject' expect: succeeds 'buildEnvironment' - outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.16)} -> 2.16.0 (c)') + outputContains('org.apache.logging.log4j:log4j-core:{require 2.17.0; reject [2.0, 2.17)} -> 2.17.0 (c)') } @Issue("gradle/gradle#19300") @@ -160,6 +160,6 @@ rootProject.name = 'testproject' expect: succeeds 'buildEnvironment' - outputContains('org.apache.logging.log4j:log4j-core:{require 2.16.0; reject [2.0, 2.16)} -> 3.1.0 (c)') + outputContains('org.apache.logging.log4j:log4j-core:{require 2.17.0; reject [2.0, 2.17)} -> 3.1.0 (c)') } } diff --git a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java index 0ebbd9d00642..7052623ec66c 100644 --- a/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java +++ b/subprojects/logging/src/main/java/org/gradle/internal/logging/util/Log4jBannedVersion.java @@ -22,6 +22,6 @@ */ public class Log4jBannedVersion { public static final String LOG4J2_CORE_COORDINATES = "org.apache.logging.log4j:log4j-core"; - public static final String LOG4J2_CORE_VULNERABLE_VERSION_RANGE = "[2.0, 2.16)"; - public static final String LOG4J2_CORE_REQUIRED_VERSION = "2.16.0"; + public static final String LOG4J2_CORE_VULNERABLE_VERSION_RANGE = "[2.0, 2.17)"; + public static final String LOG4J2_CORE_REQUIRED_VERSION = "2.17.0"; } diff --git a/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy b/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy index f080df65d86e..8c130f9f59c6 100644 --- a/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy +++ b/subprojects/scala/src/integTest/groovy/org/gradle/scala/ScalaPluginIntegrationTest.groovy @@ -245,7 +245,7 @@ task someTask @ToBeFixedForConfigurationCache(because = ":dependencies") @Issue("gradle/gradle#19300") - def 'show that log4j-core, if present, is 2_16_0 at the minimum'() { + def 'show that log4j-core, if present, is 2_17_0 at the minimum'() { given: file('build.gradle') << """ apply plugin: 'scala' @@ -256,7 +256,7 @@ task someTask def versionPattern = ~/.*-> 2\.(\d+).*/ expect: succeeds('dependencies', '--configuration', 'zinc') - def log4jOutput = result.getOutputLineThatContains("log4j-core:{require 2.16.0; reject [2.0, 2.16)}") + def log4jOutput = result.getOutputLineThatContains("log4j-core:{require 2.17.0; reject [2.0, 2.17)}") def matcher = log4jOutput =~ versionPattern matcher.find() Integer.valueOf(matcher.group(1)) >= 16