On Wed, Jan 26, 2022 at 7:50 AM Andrew Marlow <marlow.agents@gmail.com> wrote:

On Wed, 26 Jan 2022 at 14:53, Jean-Frederic Mesnil <jmesnil@redhat.com> wrote:
Hi Andrew,

> On 26 Jan 2022, at 15:46, Andrew Marlow <marlow.agents@gmail.com> wrote:
> I see that wildfly 26.0.1 refers to log4j2 version 2.17.1 and this is good due to the recent kerfuffle with log4j2 CVEs. However, I don't see this being patched back to earlier wildfly versions. Is there any plan to?

We don’t have plans to patch Log4J in previous releases of WildFly.

That's not what I meant. I'm not asking for Log4J to be patched. I was asking for the wildfly module file in wildfly 23.0.2 that refers to log4j version 2.14.0 to refer to 2.17.1 instead. That change would result in the creation of wildfly 23.0.3.

To be clear the log4j 2 CVE's are all in log4j-core which is not shipped in WildFly at all. Only the log4j-api is shipped and there are no CVE's there even in 2.14.0.
 
 
As Brian mentioned in his mail about "WildFly Releases in 2022”, WildFly 26.1 will be the last version of WildFly to run on Java SE 8 (and EE8). WildFly 27 is targeting Java EE 10 and Java SE 11.
Does that answer your questions?

Yes it does. Thank you. I will bring this to the attention of The Powers That Be on my project and suggest that consider moving to 26.
 
Best regards,
Jeff

--
Jeff Mesnil
Principal Software Engineer
Red Hat
http://jmesnil.net/
_______________________________________________
wildfly-dev mailing list -- wildfly-dev@lists.jboss.org
To unsubscribe send an email to wildfly-dev-leave@lists.jboss.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

_______________________________________________
wildfly-dev mailing list -- wildfly-dev@lists.jboss.org
To unsubscribe send an email to wildfly-dev-leave@lists.jboss.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s


--
James R. Perkins
JBoss by Red Hat