scottf
commented
2 years ago Fixing here: nats-jms-bridge/pull/290
Closed philpennock closed 2 years ago
scottf
commented
2 years ago Fixing here: nats-jms-bridge/pull/290
philpennock
commented
2 years ago Can we now mark this as resolved?
scottf
commented
2 years ago Not yet. Sonatype seems to be currently overwhelmed and builds keep timing out. The publish I did yesterday for Release 1.0.1, published 2 of 3 components, of course the component that failed was the admin. I'm currently trying to push 1.0.2 (I can't overwrite a release version so have to change the number), but those builds are failing on the first component.
philpennock
commented
2 years ago Checking https://search.maven.org/search?q=nats-jms-bridge I can confirm that 1.0.4, fixing the latest known log4j issues, is now available.
File
admin/bin/integration.shreferences log4j version 2.12.1Even if only used in tests locally, it would be good to get this upgraded so that we're not forcing vulnerable versions to even be present on local disk.
See https://logging.apache.org/log4j/2.x/security.html for the security release history.
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints