ppkarwasz commented on code in PR #6: URL: https://github.com/apache/logging-site/pull/6#discussion_r2007133349
########## _vulnerabilities.adoc: ########## @@ -106,8 +107,8 @@ Independently discovered by Hideki Okamoto of Akamai Technologies, Guy Lederfein |Summary |Thread Context Lookup is vulnerable to remote code execution in certain configurations |CVSS 3.x Score & Vector |9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) |Components affected |`log4j-core` -|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.17.0)` -|Versions fixed |`2.3.1` (for Java 6), `2.12.3` (for Java 7), and `2.17.0` (for Java 8 and later) +|Versions affected |`[2.0-beta9, 2.3.1) ∪ [2.4, 2.12.3) ∪ [2.13.0, 2.16.0)` Review Comment: Let me be absurdly provocative here: should we add `log4j:log4j` (all versions) to the list of artifacts affected by CVE-2021-44228? I agree with Ralph: version `2.17.0` is the **first** version I would recommend. The reason is not CVE-2021-45046, but CVE-2021-45105. Anyway the main reason for this PR is to align our version numbers with those submitted to the CVE database. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
