ppkarwasz opened a new pull request, #6: URL: https://github.com/apache/logging-site/pull/6
This PR double checks which Log4j Core versions resolved which vulnerabilities. ## Branch `2.3.x` **https://github.com/advisories/GHSA-fxph-q3j8-mv87** (server class) was never fixed, the TCP/UDP socket server is still there. **https://github.com/advisories/GHSA-vwqq-5vrc-xw9h** (host name validation) was fixed in `2.3.2`: - https://github.com/apache/logging-log4j2/commit/3c62f0bea692456b1b5039d3bcc1c3e0ba65146a **https://github.com/advisories/GHSA-jfh8-c2jp-5v3q** (Log4Shell) was fixed in `2.3.1`: - https://github.com/apache/logging-log4j2/commit/be848dacbac6df30c4f32b2852e24446033ecf79 - https://github.com/apache/logging-log4j2/commit/f6564bb993d547d0a371b75d869042c334bf57f0 **https://github.com/advisories/GHSA-7rjr-3q55-vv33** (Log4Shell through recursive lookup evaluation) was fixed in `2.3.1`: - https://github.com/apache/logging-log4j2/commit/f6564bb993d547d0a371b75d869042c334bf57f0 **https://github.com/advisories/GHSA-p6xc-xr62-6r2g** (DoS through recursive lookup evaluation) was fixed in `2.3.1`: - https://github.com/apache/logging-log4j2/commit/ce6b78d082aae89089cb3ad25cdd46e9ec70a70b **https://github.com/advisories/GHSA-8489-44mv-ggj8** (RCE if you have access to configuration) was fixed in `2.3.1`: - https://github.com/apache/logging-log4j2/commit/f6564bb993d547d0a371b75d869042c334bf57f0 ## Branch `2.12.x` **https://github.com/advisories/GHSA-vwqq-5vrc-xw9h** (host name validation) was fixed in `2.12.3`: - https://github.com/apache/logging-log4j2/commit/2bcba12b185200b7f3f2532cbfeff1e1da0d5c81 - https://github.com/apache/logging-log4j2/commit/bb94ea9fa921a61f90b6a934600567e719419ddd **https://github.com/advisories/GHSA-jfh8-c2jp-5v3q** (Log4Shell) was fixed in `2.12.2`: - https://github.com/apache/logging-log4j2/commit/70edc233343815d5efa043b54294a6fb065aa1c5 - https://github.com/apache/logging-log4j2/commit/f819c83804152cb6ed94cb408302e36b21b65053 **https://github.com/advisories/GHSA-7rjr-3q55-vv33** (Log4Shell through recursive lookup evaluation) was fixed in `2.12.3`: - https://github.com/apache/logging-log4j2/commit/bf8ba18f63ab9f9ffd54387c5c527ecc7a681037 **https://github.com/advisories/GHSA-p6xc-xr62-6r2g** (DoS through recursive lookup evaluation) was fixed in `2.12.3`: - https://github.com/apache/logging-log4j2/commit/bf7e916df6335713fe2219c7b3b523fb509deabc **https://github.com/advisories/GHSA-8489-44mv-ggj8** (RCE if you have access to configuration) was fixed in `2.12.3`: - https://github.com/apache/logging-log4j2/commit/bf8ba18f63ab9f9ffd54387c5c527ecc7a681037 **Note**: Unless I am mistaken, version `2.12.4` didn't contain any security updates. ## Main `2.x` branch **https://github.com/advisories/GHSA-jfh8-c2jp-5v3q** (Log4Shell) was fixed in `2.15.0`: - https://github.com/apache/logging-log4j2/commit/c77b3cb39312b83b053d23a2158b99ac7de44dd3 - https://github.com/apache/logging-log4j2/commit/001aaada7dab82c3c09cde5f8e14245dc9d8b454 **https://github.com/advisories/GHSA-7rjr-3q55-vv33** (Log4Shell through recursive lookup evaluation) was fixed in `2.16.0`: - https://github.com/apache/logging-log4j2/commit/c362aff473e9812798ff8f25f30a2619996605d5 - https://github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d **https://github.com/advisories/GHSA-p6xc-xr62-6r2g** (DoS through recursive lookup evaluation) was fixed in `2.12.3`: - https://github.com/apache/logging-log4j2/commit/806023265f8c905b2dd1d81fd2458f64b2ea0b5e **https://github.com/advisories/GHSA-8489-44mv-ggj8** (RCE if you have access to configuration) was fixed in `2.12.3`: - https://github.com/apache/logging-log4j2/commit/95b24f77e77e4f1e5cc794df5332643e944fd6f8 **Note**: Unless I am mistaken, version `2.17.1` didn't contain any security updates. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
