jlcsmith
commented
2 years ago build now
Closed jlcsmith closed 2 years ago
jlcsmith
commented
2 years ago build now
jrnorth
commented
2 years ago build now
cxddfbot
commented
2 years ago Internal build has been started, your results will be available at build completion.
cxddfbot
commented
2 years ago Build ABORTED See the job results in legacy Jenkins UI or in Blue Ocean UI.
cxddfbot
commented
2 years ago Internal build has been started, your results will be available at build completion.
cxddfbot
commented
2 years ago Build SUCCESS See the job results in legacy Jenkins UI or in Blue Ocean UI.
brendan-hofmann
commented
2 years ago Just be aware that this fix requires scan tool suppressions as well because the vulnerable versions are still in the transitive dependencies, we're just substituting the fixed version at the last second when we package the distribution.
What does this PR do?
Upgrades pax-logging to 1.11.13 to resolve CVE-2021-44228
Note - this does not resolve the vulnerable log4j jars bundled in Solr. That will be addressed separately.
Who is reviewing it?
@brendan-hofmann @millerw8 @jrnorth @beyelerb
Select relevant component teams:
@codice/security
Ask 2 committers to review/merge the PR and tag them here.
@brendan-hofmann @millerw8 @jrnorth @beyelerb
How should this be tested?
Run a vulnerability scanner against the exploded distro (eg, lunasec log4shell scan). The only log4j vulnerabilities identified should be coming from solr:
Any background context you want to provide?
What are the relevant tickets?
Fixes: #6673
Checklist:
Notes on Review Process
Please see Notes on Review Process for further guidance on requirements for merging and abbreviated reviews.
Review Comment Legend: