Closed jlcsmith closed 2 years ago
build now
build now
Internal build has been started, your results will be available at build completion.
Build ABORTED See the job results in legacy Jenkins UI or in Blue Ocean UI.
Internal build has been started, your results will be available at build completion.
Build SUCCESS See the job results in legacy Jenkins UI or in Blue Ocean UI.
Just be aware that this fix requires scan tool suppressions as well because the vulnerable versions are still in the transitive dependencies, we're just substituting the fixed version at the last second when we package the distribution.
What does this PR do?
Upgrades pax-logging to 1.11.13 to resolve CVE-2021-44228
Note - this does not resolve the vulnerable log4j jars bundled in Solr. That will be addressed separately.
Who is reviewing it?
@brendan-hofmann @millerw8 @jrnorth @beyelerb
Select relevant component teams:
@codice/security
Ask 2 committers to review/merge the PR and tag them here.
@brendan-hofmann @millerw8 @jrnorth @beyelerb
How should this be tested?
Run a vulnerability scanner against the exploded distro (eg, lunasec log4shell scan). The only log4j vulnerabilities identified should be coming from solr:
Any background context you want to provide?
What are the relevant tickets?
Fixes: #6673
Checklist:
Notes on Review Process
Please see Notes on Review Process for further guidance on requirements for merging and abbreviated reviews.
Review Comment Legend: