search

dakrone / clj-http

An idiomatic clojure http client wrapping the apache client. Officially supported version.
http://clojars.org/clj-http
MIT License
1.79k stars 410 forks source link

Bump log4j2 version for cve-2021-44228 #604

Closed eltonlaw closed 2 years ago

eltonlaw commented 2 years ago

Addressing vulnerability to remote code execution via log4j2 JNDI lookup: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

From version 2.16.0, this functionality has been completely removed

dakrone commented 2 years ago

This should probably upgrade to 2.17.0 since another release was created to address the DOS issue.

eltonlaw commented 2 years ago

Bumped to 2.17.1 https://logging.apache.org/log4j/2.x/security.html

dakrone commented 2 years ago

Merged, thanks!