Upgrade log4j2 to 2.15.0 (#8281)

74c0f1e4 · wu-sheng · GitHub · f2229b6f · 74c0f1e4 · 74c0f1e4
Showing with 6 addition and 6 deletion

CHANGES.md CHANGES.md +2 -2

oap-server-bom/pom.xml oap-server-bom/pom.xml +1 -1

tools/dependencies/known-oap-backend-dependencies.txt tools/dependencies/known-oap-backend-dependencies.txt +3 -3

未找到文件。
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -7,6 +7,8 @@ Release Notes.

 #### Project

+* Upgrade log4j2 to 2.15.0 for easing the CVE concern. Officially, unless users open `level=DEBUG` for gRPC/HTTP
+  handler(s), no security error.

 #### OAP Server

@@ -16,10 +18,8 @@ Release Notes.

 #### UI

-
 #### Documentation

-
 All issues and pull requests are [here](https://github.com/apache/skywalking/milestone/112?closed=1)

 ------------------

--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -29,7 +29,7 @@

    <properties>
        <slf4j.version>1.7.30</slf4j.version>
-        <log4j.version>2.14.1</log4j.version>
+        <log4j.version>2.15.0</log4j.version>
        <graphql-java-tools.version>5.2.3</graphql-java-tools.version>
        <graphql-java.version>8.0</graphql-java.version>
        <okhttp.version>3.14.9</okhttp.version>

--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -93,10 +93,10 @@ kotlin-reflect-1.1.1.jar
 kotlin-stdlib-1.1.60.jar
 libthrift-0.14.1.jar
 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-log4j-api-2.14.1.jar
-log4j-core-2.14.1.jar
+log4j-api-2.15.0.jar
+log4j-core-2.15.0.jar
 log4j-over-slf4j-1.7.30.jar
-log4j-slf4j-impl-2.14.1.jar
+log4j-slf4j-impl-2.15.0.jar
 logging-interceptor-3.13.1.jar
 lz4-java-1.6.0.jar
 micrometer-core-1.7.6.jar