ppkarwasz commented on PR #6: URL: https://github.com/apache/logging-site/pull/6#issuecomment-2724317413
> First, I think you should link to https://musigma.blog/2023/11/10/log4shell-history.html. While Matt's page says Log4Shell was fixed in 2.16.0 my recollection was that 2.17.0 was the only release I would recommend. I believe that was the release where Carter finally resolved the problems with recursive lookups. The main change in this PR is the statement that `2.17.0` did **not** contain the [CVE-2021-44832](https://nvd.nist.gov/vuln/detail/CVE-2021-44832) vulnerability (i.e. remote code execution by modification of the configuration of a JDBC appender). The NVD entry states "This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", but this is incorrect, since the limitation was introduced in `2.17.0`: https://github.com/apache/logging-log4j2/commit/f6564bb993d547d0a371b75d869042c334bf57f0 **Note**: I wouldn't recommend `2.17.0` either, since: - It is **not** the latest patch release of the `2.17.x` branch. Version `2.17.2` IMHO should have been a `MINOR` release, but let us keep it simple: you should **always** upgrade to the last patch release of the minor release you use, without questioning. If suddenly maintainers decide to release patches to an old minor version (as it happened `2.3.x` or `2.12.x`) there must be a reason. - It is **not** maintained any more. Sure, users that only use documented properties and features, should be able to upgrade to `2.24.3` **without** any problems, but somehow problems always appear on such big upgrades. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
