Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix critical vulnerability in log4j #207

Merged
merged 1 commit into from
Dec 10, 2021
Merged

Conversation

stigkj
Copy link
Contributor

@stigkj stigkj commented Dec 10, 2021

There is a critical vulnerability in Log4j, more information here:
https://www.lunasec.io/docs/blog/log4j-zero-day/

There is a critical vulnerability in Log4j, more information here:
https://www.lunasec.io/docs/blog/log4j-zero-day/
@hudson155
Copy link

LGTM – thanks for doing this

@oshai
Copy link
Owner

oshai commented Dec 10, 2021

Thanks for the PR!

@oshai oshai merged commit 8e7b55e into oshai:master Dec 10, 2021
@edeak
Copy link

edeak commented Dec 10, 2021

@hudson155 do you guys have an ETA for rolling this out to a release?

@oshai
Copy link
Owner

oshai commented Dec 11, 2021

I am releasing 2.1.16 with the change now. Note that since this is only a test dep it's not transitive so need really needed by users of the lib.

@nippip
Copy link

nippip commented Dec 13, 2021

I am releasing 2.1.16 with the change now. Note that since this is only a test dep it's not transitive so need really needed by users of the lib.

@oshai Would you mind elaborating on your statement above and point to some code snips to better understand how this is or is not affecting users of the lib?

@oshai
Copy link
Owner

oshai commented Dec 13, 2021

I am releasing 2.1.16 with the change now. Note that since this is only a test dep it's not transitive so need really needed by users of the lib.

@oshai Would you mind elaborating on your statement above and point to some code snips to better understand how this is or is not affecting users of the lib?

kotlin-logging is a facade (similar to slf4j) means it only wraps the implementation you choose as a logging framework.
Popular implementations are logback and log4j.
On the tests of kotlin-logging we needed an actual implementation to use. We could write our own mocks but it makes more sense to take an actual impl for that to reflect how users use the lib. So kotlin-logging depends on log4j for testing only.
Example of such tests can be seen here.
You can see the dependency here:
image

It means that this dependency does not pass transitively to users of kotlin-logging, and therfore users don't need to upgrade kotlin-logging itself. You can also see that in the pom that is generated for kotlin-logging.
For people to feel more safe and for our own safety (when running tests) we upgraded kotlin-logging dependency on log4j.
So it's not really needed, but I will not stop you from upgrading.

Hope that clears things a bit more. You can see some more info on the issue #206.

@stigkj stigkj deleted the log4j-vulnerability branch December 17, 2021 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants