flexmark-java icon indicating copy to clipboard operation
flexmark-java copied to clipboard
verified publisher icon vsch

Migrate to Log4j 2.17.1

Open thomasredlin opened this issue 2 years ago • 0 comments

In main POM and flexmark-docx-converter POM, there are dependencies to Log4j 1.2.17:

https://github.com/vsch/flexmark-java/blob/8142f8fb9b15031b99940bddaac6ff466949585d/flexmark-docx-converter/pom.xml#L104-L108 https://github.com/vsch/flexmark-java/blob/8142f8fb9b15031b99940bddaac6ff466949585d/flexmark/pom.xml#L75-L80

There a several known critical security vulnerabilities as can be seen here:

  • https://mvnrepository.com/artifact/log4j/log4j/1.2.17
  • https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A1.2.17

Please migrate to Log4j 2.17.1 as we now had to exclude these dependencies from our project manually.

thomasredlin avatar Apr 17 '23 15:04 thomasredlin