vy commented on code in PR #6: URL: https://github.com/apache/logging-site/pull/6#discussion_r1995006760
########## _vulnerabilities.adoc: ########## @@ -106,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein |Summary |Thread Context Lookup is vulnerable to remote code execution in certain configurations |CVSS 3.x Score & Vector |9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)` -|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` (for Java 8 and later) +|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)` Review Comment: I prefer being cautious, keeping the affected version range at `..., 2.17.0)`, and not saying _"`2.16.0` should be fine against JNDI issues reported in CVE-2021-44228"_ unless we are certain about – of which I am not. @raboof, @rgoers, @jvz, we need a tiebreaker. Would you mind sharing your thoughts, please? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
