Update log4j-core and log4j-api dependencies to 2.15.0#285
Update log4j-core and log4j-api dependencies to 2.15.0#285carlzogh merged 1 commit intoaws:masteraws/aws-lambda-java-libs:masterfrom
log4j-core and log4j-api dependencies to 2.15.0#285Conversation
|
@msailes Will new versions of these libraries be published to maven shortly with the updated log4j2 deps? (Don't wish to push, just trying to work out the best way of handling this internally given the 0 day!) |
|
@berry120 the publish to Maven is happening right now, thanks for insisting on the highest standards! |
|
@carlzogh looks like it wasn't published, 1.3.0 is still missing in maven. This step is marked as failed on the commit: "AWS CodeBuild eu-west-1 (CodeCommitSync-aws-lambda-java-libs)" |
|
@msailes Without wishing this to become a common thing (!) is it worth now making a similar PR for log4j 2.16.0? No known 0 day as of yet with 2.15.0 of course, but 2.16.0 goes a step further with security that should help to prevent similar, as of yet unknown exploits. If so then happy to create the PR. |
|
@berry120 Thanks for the comment, I'll pass this onto the team. |
Description of changes:
log4j-coreandlog4j-apidependencies to2.15.0aws-lambda-java-log4j2version1.3.0By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.