Not only thinking about log4j here. I’m pretty sure 7.7.x is vulnerable to
several other CVEs over the last 1,5 years too, so we have not followed up with
patch releases as some users might expect. I’ll propose an edit to the download
page to make it clear that 7.x is NOT a patched LTS release a
Users have a valid mitigation that is easy to apply (that sys prop =true),
and they could upgrade Log4j themselves if they are extra paranoid (e.g.
corp mandates, which I am familiar with). So I think no further action by
our project is necessary.
(Merry Christmas to you all)
On Fri, Dec 24, 202
