[wildfly-dev] Re: wildfly, log4j2 CVE fixes and fix releases
On Wed, 26 Jan 2022 at 14:53, Jean-Frederic Mesnil <jmesnil(a)redhat.com>
wrote:
Hi Andrew,
> On 26 Jan 2022, at 15:46, Andrew Marlow <marlow.agents(a)gmail.com> wrote:
> I see that wildfly 26.0.1 refers to log4j2 version 2.17.1 and this is
good due to the recent kerfuffle with log4j2 CVEs. However, I don't see
this being patched back to earlier wildfly versions. Is there any plan to?
We don’t have plans to patch Log4J in previous releases of WildFly.
That's not what I meant. I'm not asking for Log4J to be patched. I was
asking for the wildfly module file in wildfly 23.0.2 that refers to log4j
version 2.14.0 to refer to 2.17.1 instead. That change would result in the
creation of wildfly 23.0.3.
As Brian mentioned in his mail about "WildFly Releases in 2022”,
WildFly
26.1 will be the last version of WildFly to run on Java SE 8 (and EE8).
WildFly 27 is targeting Java EE 10 and Java SE 11.
Does that answer your questions?
Yes it does. Thank you. I will bring this to the attention of The Powers
That Be on my project and suggest that consider moving to 26.
Best regards,
Jeff
--
Jeff Mesnil
Principal Software Engineer
Red Hat
http://jmesnil.net/
_______________________________________________
wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org
To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
--
Regards,
Andrew Marlow
http://www.andrewpetermarlow.co.uk
Attachments:
- attachment.html (text/html — 2.5 KB)