imagesc-bot
commented
2 years ago This issue has been mentioned on Image.sc Forum. There might be relevant details there:
https://forum.image.sc/t/is-imagej-affected-by-cve-2021-44228/60968/11
Closed ctrueden closed 2 years ago
imagesc-bot
commented
2 years ago This issue has been mentioned on Image.sc Forum. There might be relevant details there:
https://forum.image.sc/t/is-imagej-affected-by-cve-2021-44228/60968/11
ctrueden
commented
2 years ago As of b5a043e7634022a3434a408ad95822f1092af07f, the SciJava component collection is free of log4j dependencies. As soon as pom-scijava 32.0.0 is released, downstream components with lingering log4j dependencies should update their parent version, remove log4j as direct dependency if needed, and fix any other dependency issues leading to log4j coming in transitively. If log4j 1.x functionality is still a requirement, pom-scijava now manages reload4j, so components needing it can swap it in in place of log4j.
Both log4j v1 (log4j:log4j) and log4j v2 (org.apache.logging.log4j:log4j-core) have had security issues. The following repositories (at least) should be checked:
And migrate logging to SLF4J as appropriate.