search

hivemq / hivemq-mqtt-client

HiveMQ MQTT Client is an MQTT 5.0 and MQTT 3.1.1 compatible and feature-rich high-performance Java client library with different API flavours and backpressure support
https://hivemq.github.io/hivemq-mqtt-client/
Apache License 2.0
860 stars 159 forks source link

Need new version with log4j fix by netty library #516

Closed neilm30 closed 2 years ago

neilm30 commented 2 years ago

Hello All

This is a bit urgent regarding log4j security issue.

The issue has been fixed by netty library (netty/common) as part of latest version 4.1.72-final We are using hivemq in our Android applications .The current hivemq version 1.3.0 is using 4.1.48-final version of netty which is pretty old.

https://search.maven.org/artifact/com.hivemq/hivemq-mqtt-client/1.3.0/jar

Can we expect a new hivemq version soon with netty dependency updated ?

Thank you

SgtSilvio commented 2 years ago

Hi @neilm30 this project does not have a dependency on log4j, neither directly nor transitively. Netty does not bring in a log4j dependency; it has only an optional dependency which you need to include on your own.

Beside this we also upgraded the log4j2 version of our optional dependency (which also means that while we use it it will not be automatically pulled in and so there is no risk from netty's point of view). (https://netty.io/news/2021/12/13/4-1-72-Final.html)

As long as you do not declare a dependency on log4j on your own or include it via other dependencies than the hivemq-mqtt-client, there is nothing to worry about.

neilm30 commented 2 years ago

@SgtSilvio Thank you for the reply which is now very helpful to pass on information to concerned android app teams