[bisq-network/bisq] Avoid Log4J "Log4Shell" exploit (PR #5910)
cbeams
notifications at github.com
Fri Dec 10 10:50:06 CET 2021
commit 55becc59c010c056b5e0107760c5bf3ba1926d2c
Author: Chris Beams <chris at beams.io>
Date: Fri Dec 10 10:40:36 2021 +0100
Avoid Log4J "Log4Shell" exploit
This commit upgrades our transitive dependency on Log4J 2 from 2.14.1 to
the newly-released 2.15.0 to avoid the CVE described at
https://www.lunasec.io/docs/blog/log4j-zero-day/.
We do not use log4j directly anywhere in our codebase, so our exposure
to this exploit was already mitigated if not eliminated, but Spring Boot
depends on Log4J 2 internally. This commit upgrades Spring Boot's
underlying dependency on Log4J to 2.15.0 in the manner recommended at
https://github.com/spring-projects/spring-boot/issues/28958.
commit 31c6e16e63e85ad99f870b2aa2f39e5fbc0380d8
Author: Chris Beams <chris at beams.io>
Date: Fri Dec 10 10:34:09 2021 +0100
Use Spring dependency-management plugin in pricenode
This is in preparation for addressing log4j 2 zero day exploit described
at https://www.lunasec.io/docs/blog/log4j-zero-day/. See full details
in the next commit.
Bringing in the dependency-management plugin results in many changes to
our Gradle verification metadata file, but all are BOM / POM / Module
manifests. No additional jar or code dependencies have been whitelisted
with this change.
You can view, comment on, or merge this pull request online at:
https://github.com/bisq-network/bisq/pull/5910
-- Commit Summary --
* Use Spring dependency-management plugin in pricenode
* Avoid Log4J "Log4Shell" exploit
-- File Changes --
M build.gradle (4)
M gradle/verification-metadata.xml (365)
-- Patch Links --
https://github.com/bisq-network/bisq/pull/5910.patch
https://github.com/bisq-network/bisq/pull/5910.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/5910
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20211210/f413da00/attachment.htm>
More information about the bisq-github
mailing list