The tag is rel/2.17.1 as usual. Download page is linked in the linked announcement email of the release. -- Matt Sicker
> On Dec 28, 2021, at 13:58, Jason Pyeron <[email protected]> wrote: > >> -----Original Message----- >> From: Matt Sicker [mailto:[email protected]] >> Sent: Tuesday, December 28, 2021 2:27 PM >> To: [email protected]; [email protected] >> Subject: CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender >> when attacker >> controls configuration > >> >> Severity: moderate >> >> Description: >> >> Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix >> releases 2.3.2 and >> 2.12.4) are vulnerable to a remote code execution (RCE) attack where an >> attacker with > > I do not see the (git) tag or download on the site. Am I missing something? > >> permission to modify the logging configuration file can construct a malicious >> configuration using a JDBC Appender with a data source referencing a JNDI >> URI which can >> execute remote code. This issue is fixed by limiting JNDI data source names >> to the java >> protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. >> >> This issue is being tracked as LOG4J2-3293, >> >> References: >> >> https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 >> https://issues.apache.org/jira/browse/LOG4J2-3293 > > -- > Jason Pyeron | Architect > PD Inc | Certified SBA 8(a) > 10 w 24th St | Certified SBA HUBZone > Baltimore, MD | CAGE Code: 1WVR6 > > .mil: [email protected] > .com: [email protected] > tel : 202-741-9397 > > >
