raboof commented on code in PR #6: URL: https://github.com/apache/logging-site/pull/6#discussion_r1995312754
########## _vulnerabilities.adoc: ########## @@ -106,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein |Summary |Thread Context Lookup is vulnerable to remote code execution in certain configurations |CVSS 3.x Score & Vector |9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)` -|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` (for Java 8 and later) +|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)` Review Comment: I was not around when log4shell happened so take my input with a grain of salt, but my understanding so far is: From a purely practical perspective, without looking at the technical side at all, the details of the the version metadata we have published to Mitre for CVE-2021-45046 (https://www.cve.org/CVERecord?id=CVE-2021-45046) is that only versions before 1.16.0 were affected. While I agree with erring on the safe side, as we cannot widen affected version ranges on already-published CVEs, the low-friction way to make things consistent might be to have CVE-2021-45046 listed as affecting versions before 1.16.0, but add references highlighting that operators should also consider the follow-ups CVE-2021-45105 and CVE-2021-44832 and make sure to upgrade to 1.17.1 (1.17.0?). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
