[bisq-network/bisq] Avoid Log4J "Log4Shell" exploit (PR #5910)

cbeams notifications at github.com
Fri Dec 10 10:50:06 CET 2021 

	commit 55becc59c010c056b5e0107760c5bf3ba1926d2c
	Author: Chris Beams <chris at beams.io>
	Date:   Fri Dec 10 10:40:36 2021 +0100

		Avoid Log4J "Log4Shell" exploit
		
		This commit upgrades our transitive dependency on Log4J 2 from 2.14.1 to
		the newly-released 2.15.0 to avoid the CVE described at
		https://www.lunasec.io/docs/blog/log4j-zero-day/.
		
		We do not use log4j directly anywhere in our codebase, so our exposure
		to this exploit was already mitigated if not eliminated, but Spring Boot
		depends on Log4J 2 internally. This commit upgrades Spring Boot's
		underlying dependency on Log4J to 2.15.0 in the manner recommended at
		https://github.com/spring-projects/spring-boot/issues/28958.

	commit 31c6e16e63e85ad99f870b2aa2f39e5fbc0380d8
	Author: Chris Beams <chris at beams.io>
	Date:   Fri Dec 10 10:34:09 2021 +0100

		Use Spring dependency-management plugin in pricenode
		
		This is in preparation for addressing log4j 2 zero day exploit described
		at https://www.lunasec.io/docs/blog/log4j-zero-day/. See full details
		in the next commit.
		
		Bringing in the dependency-management plugin results in many changes to
		our Gradle verification metadata file, but all are BOM / POM / Module
		manifests. No additional jar or code dependencies have been whitelisted
		with this change.


You can view, comment on, or merge this pull request online at:

  https://github.com/bisq-network/bisq/pull/5910

-- Commit Summary --

  * Use Spring dependency-management plugin in pricenode
  * Avoid Log4J "Log4Shell" exploit

-- File Changes --

    M build.gradle (4)
    M gradle/verification-metadata.xml (365)

-- Patch Links --

https://github.com/bisq-network/bisq/pull/5910.patch
https://github.com/bisq-network/bisq/pull/5910.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/5910
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20211210/f413da00/attachment.htm>

More information about the bisq-github mailing list