misilot
commented
5 months ago Any chance we could get a point release of v1.14? As our security folks aren't happy with log4j being present in the current release
Closed chenejac closed 7 months ago
misilot
commented
5 months ago Any chance we could get a point release of v1.14? As our security folks aren't happy with log4j being present in the current release
chenejac
commented
4 months ago Dear @misilot, thanks for reporting this. We are planning to release a patch mitigating this vulnerability (1.14.1). However, we will switch this documentation to a new ticket - https://github.com/vivo-project/VIVO/issues/3944
Describe the bug slf4j-log4j12 version 1.7.26 depends on log4j 1.2.17 (source - https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12/1.7.26).
To Reproduce Run some vulnerability scanner
Expected behavior Upgrade slf4j-log4j12 version in pom.xml file