Re: [PR] Proofread CVE fix versions [logging-site]

Tue, 28 Jan 2025 02:19:38 -0800 


vy commented on code in PR #6:
URL: https://github.com/apache/logging-site/pull/6#discussion_r1931873759


##########
_vulnerabilities.adoc:
##########
@@ -32,8 +32,8 @@ We only extend this mathematical notation with set union 
operator (i.e., `∪`)
 |Summary |JDBC appender is vulnerable to remote code execution in certain 
configurations
 |CVSS 3.x Score & Vector |6.6 MEDIUM 
(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
 |Components affected |`log4j-core`
-|Versions affected |`[2.0-beta7, 2.3.2) ∪ [2.4, 2.12.4) ∪ [2.13.0, 2.17.1)`
-|Versions fixed |`2.3.2` (for Java 6), `2.12.4` (for Java 7), or `2.17.1` (for 
Java 8 and later)
+|Versions affected |`[2.0-beta7, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
+|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), or `2.17.0` (for 
Java 8 and later)

Review Comment:
   1. Shouldn't this stay `2.3.2`, since it adds `isJndiJdbcEnabled()` to the 
`isJndiEnabled` in 
apache/logging-log4j2@ae4dc0c1a6389ae895f60451cd87e97e7b9d85c1?
   2. Same for `2.12.4` due to 
apache/logging-log4j2@b3879958cb3b75eb16bf27e970538b6e4e130f1c
   3. Same for `2.17.1` due to 
apache/logging-log4j2@05db5f9527254632b59aed2a1d78a32c5ab74f16



##########
_vulnerabilities.adoc:
##########
@@ -106,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai 
Technologies, Guy Lederfein
 |Summary |Thread Context Lookup is vulnerable to remote code execution in 
certain configurations
 |CVSS 3.x Score & Vector |9.0 CRITICAL 
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
 |Components affected |`log4j-core`
-|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)`
-|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` 
(for Java 8 and later)
+|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)`

Review Comment:
   There are several JNDI-related hardening in `2.17.0`, e.g., 
apache/logging-log4j2@4a4b7530b1848e630a65d79e9c7dc388a5a7785b. Since this is 
the min. (Java 8 compatible) version we claim to be _not_ vulnerable by 
Log4shell, do you imply `2.17.0..2.17.1` changes contain no Log4shell-related 
fixes?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to