[
https://issues.apache.org/jira/browse/LUCENE-10303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459049#comment-17459049
]
Tomoko Uchida commented on LUCENE-10303:
----------------------------------------
{quote}We should update to 2.16.0 (came put today) in all active branches.
Please aso change the changelog entry, no new issue please!
{quote}
I'll update it. Let me wait for a while (to make sure there is no further minor
update on it).
{quote}No patch release needed for Lucene 9.0, as there's no remote access to
Luke. I am not sure about Lucene replicator, is it used there, too?
{quote}
Only Luke uses log4j. No other module does not depend on it, I grepped the
entire source.
> Upgrade log4j to 2.16.0
> -----------------------
>
> Key: LUCENE-10303
> URL: https://issues.apache.org/jira/browse/LUCENE-10303
> Project: Lucene - Core
> Issue Type: Task
> Reporter: Tomoko Uchida
> Assignee: Tomoko Uchida
> Priority: Minor
> Fix For: 9.1, 10.0 (main)
>
> Attachments: LUCENE-10303.patch
>
>
> CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker
> controlled LDAP and other JNDI related endpoints.
> Versions Affected: all versions from 2.0-beta9 to 2.14.1
> [https://logging.apache.org/log4j/2.x/security.html]
>
> Only luke module uses log4j 2.13.2 (I grepped the entire codebase); meanwhile
> the versions.props is shared by all subprojects, it may be better to upgrade
> to 2.15.0 I think.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
