Re: [PR] Proofread CVE fix versions [logging-site]

Tue, 28 Jan 2025 02:17:51 -0800 


vy commented on code in PR #6:
URL: https://github.com/apache/logging-site/pull/6#discussion_r1931891281


##########
_vulnerabilities.adoc:
##########
@@ -106,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai 
Technologies, Guy Lederfein
 |Summary |Thread Context Lookup is vulnerable to remote code execution in 
certain configurations
 |CVSS 3.x Score & Vector |9.0 CRITICAL 
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
 |Components affected |`log4j-core`
-|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
-|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` 
(for Java 8 and later)
+|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)`

Review Comment:
   There are several JNDI-related hardening in `2.17.0`, e.g., 
4a4b7530b1848e630a65d79e9c7dc388a5a7785b. Since this is the min. (Java 8 
compatible) version we claim to be _not_ vulnerable by Log4shell, do you imply 
`2.17.0..2.17.1` changes contain no Log4shell-related fixes?



##########
_vulnerabilities.adoc:
##########
@@ -32,8 +32,8 @@ We only extend this mathematical notation with set union 
operator (i.e., `∪`)
 |Summary |JDBC appender is vulnerable to remote code execution in certain 
configurations
 |CVSS 3.x Score & Vector |6.6 MEDIUM 
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
 |Components affected |`log4j-core`
-|Versions affected |`[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)`
-|Versions fixed |`2.3.2` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for 
Java 8 and later)
+|Versions affected |`[2.0-beta7, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
+|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for 
Java 8 and later)

Review Comment:
   1. Shouldn't this stay `2.3.2`, since it adds `isJndiJdbcEnabled()` to the 
`isJndiEnabled` in ae4dc0c1a6389ae895f60451cd87e97e7b9d85c1?
   2. Same for `2.12.4` due to b3879958cb3b75eb16bf27e970538b6e4e130f1c
   3. Same for `2.17.1` due to 05db5f9527254632b59aed2a1d78a32c5ab74f16



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to