jkndrkn
commented
3 months ago Look like as of https://clojars.org/circleci/rollcage/versions/1.0.218 this project still relies on org.clojure/tools.logging 0.4.0
Closed jkndrkn closed 3 months ago
jkndrkn
commented
3 months ago Look like as of https://clojars.org/circleci/rollcage/versions/1.0.218 this project still relies on org.clojure/tools.logging 0.4.0
jkndrkn
commented
3 months ago Per Alex Miller:
tools.logging has only a test dependency on log4j and does not have a vulnerability from that
See: https://clojurians.slack.com/archives/C03S1KBA2/p1715701767194979
rollcage is currently using org.clojure/tools.logging 0.4.0 which depends on a version of log4j that is vulnerable to the log4shell exploit:
https://logging.apache.org/log4j/2.x/security.html
Does rollcage expose users to the log4shell exploit?
Upgrading to tools.logging 1.2.2 would result in loading the recommended log4j version 2.16.0