On 26 Jan 2022, at 16:49, Andrew Marlow
<marlow.agents(a)gmail.com> wrote:
On Wed, 26 Jan 2022 at 14:53, Jean-Frederic Mesnil <jmesnil(a)redhat.com> wrote:
Hi Andrew,
> On 26 Jan 2022, at 15:46, Andrew Marlow <marlow.agents(a)gmail.com> wrote:
> I see that wildfly 26.0.1 refers to log4j2 version 2.17.1 and this is good due to
the recent kerfuffle with log4j2 CVEs. However, I don't see this being patched back to
earlier wildfly versions. Is there any plan to?
We don’t have plans to patch Log4J in previous releases of WildFly.
That's not what I meant. I'm not asking for Log4J to be patched. I was asking for
the wildfly module file in wildfly 23.0.2 that refers to log4j version 2.14.0 to refer to
2.17.1 instead. That change would result in the creation of wildfly 23.0.3.
You're right, my sentence was poorly worded.
We do not plan to release earlier versions of WildFly with updated log4j. So, in your
specific case, we will not release a 23.0.3 release of WildFly.
Sorry for the confusion,
Jeff
--
Jeff Mesnil
Principal Software Engineer
Red Hat
http://jmesnil.net/