Update dependencies to mitigate CVE-2021-44228 in log4j

clj-commons / aleph

Asynchronous streaming communication for Clojure - web server, web client, and raw TCP/UDP

http://aleph.io

MIT License

2.54k stars 241 forks source link

Update dependencies to mitigate CVE-2021-44228 in log4j #576

Closed KaliszAd closed 2 years ago

KaliszAd commented 2 years ago

Update to at least

[org.clojure/tools.logging "1.2.1"]

from https://github.com/clojure/tools.logging

to mitigate CVE-2021-44228 in log4j which is a transitive dependency it seems.

EDIT:

This was written by Alex Miller, the maintainer of tools.logging:

tools.logging doesn't actually have a dependency on log4j (you bring your own), but it does use log4j as a test dependency and this bumps all those deps to the new versions

KingMob commented 2 years ago

Thanks for mentioning this, @KaliszAd. We appreciate you looking out for Aleph's security.

However, AFAICT Aleph isn't at risk of CVE-2021-44228. The tools.logging update is really for itself, and not any consumers, since it only depends on log4j when running its tests. Aleph itself only depends on slf4j, and has no direct dependency on log4j.

Mildly more relevant is Netty itself. They just committed a security bugfix (netty/netty#11909), but according to their commit message, their own dep on log4j is optional, so they're not cutting a release just for CVE-2021-44228.