yeah roller itself did log with log4j 1, however it did pull log4j 2 too
due to the fact that struts was/is using it i just noticed.
So I retract my statement that roller 6.0.2 should not be affected by
this - the attack surface is just smaller.
i unified everything to slf4j and mapped it to
Nice! I did not remember that 6.0.2 still used Log4j 1.
On Sat, Dec 11, 2021 at 4:20 PM Michael Bien wrote:
> Hello Everyone,
>
> Just a heads up in case you are building and running apache roller from
> master, please rebuild your instance with the latest changes.
>
> It contains an important d
Hello Everyone,
Just a heads up in case you are building and running apache roller from
master, please rebuild your instance with the latest changes.
It contains an important dependency update
(https://github.com/apache/roller/pull/106) for log4j 2 which suffered
from a RCE security vulnerab
