Please provide an updated point release that includes the fixed log4j vulnerability #29111
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
As mentioned in our issue template:
This is already covered by #28984 (and related issues) as well as our dedicated blog post. This will be released on December 23rd. |
bclozel
added
status: duplicate
That is inaccurate. Spring Boot uses logback by default. The dedicated blog post cover also that using log4j-api and the slf4j bridge (which we provide by convenience) does not trigger any of those vulnerabilities. If you've not opt-in for log4j2, your app is not vulnerable. |
|
But since even logback is vulnerable my app is vulnerable anyway. So my request was to understand if it was possible to have a very fast turnaround for a new release with upgraded deps. |
|
You don't need and you shouldn't need to wait for a release to upgrade your use of Logback or Log4J2. The blog post has already all the information that you're asking. |
|
Right, but since I couldn't find any mention on how to upgrade logback I (wrongly) assumed I couldn't use a similar approach to force the dependency. |
if I understand correctly log4j is automatically used when used in a spring boot project (at least I found it in mine even without asking for it).
Since Log4J released a new 2.17.0 version with fixes for CVE-2021-45046 and CVE-2021-45105 it would be great if you could quickly release an update version that just fixes the dependencies in order to fix our apps in a short time.
The text was updated successfully, but these errors were encountered: