Comment From: zhoujia1974
What is the target release date for this cve patch?
Comment From: scottfrederick
@zhoujia1974 The project milestones page shows the planned dates for upcoming releases, including the 2.5.8 release that this issue is scheduled for.
Comment From: madorb
considering the severity of this CVE, could that be moved up? (i know folks can fix it otherwise... but will they?)
Comment From: philwebb
We discussed the idea of doing an earlier release but ultimately decided to stick with our existing schedule. The main reason is we manage an awful lot of dependencies and we don’t really want to trigger releases anytime one of them has a CVE. Another factor is the fact that our out-of-the-box setup doesn’t include log4j-core.
We have published a blog post about the vulnerability to help people understand their options. It’s at https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
Comment From: madorb
totally agree with that in general - but this isn't exactly your average CVE. it certainly helps that it's not the default logging framework, but... still to this layman, it seems patch-worthy. thanks for the details blog post tho! that'll definitely help folks
Comment From: mauromol
Will this be backported to Spring Boot 2.4.x? The blog article speaks about just 2.5.x and 2.6.x.
Comment From: bclozel
@mauromol Spring Boot 2.4.x is out of OSS support.
Comment From: snicoll
Reopening to upgrade to 2.17.0 per CVE-2021-45105.