Closed ddsky closed 2 years ago
The SDK doesn't have a dependency on log4j, and the CVE you linked is a junit vulnerability, so I assume you actually meant junit.
CVE-2020-15250 was fixed in commit 92f9d7e30c8cc1d640a5d3fd2e84e9e32c573e08, but since junit is only a test dependency we weren't planning to release it by itself. We were going to wait and release it along with upcoming feature changes in the next few months.
Hey John, you're right, I meant junit, sorry. Got the point about release, thanks.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250