Skip to content

Commit 8a3d175

Browse files
authored
Release v1.8.1 (#292)
* Update README.md * Release v1.8.1
1 parent 2498db5 commit 8a3d175

File tree

3 files changed

+20
-8
lines changed

3 files changed

+20
-8
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
# Change Log
22

3+
# 1.8.1
4+
5+
- Update log4j dependencies to v2.17.0 to fix CVE-2021-45105 [#291](https://github.com/rollbar/rollbar-java/pull/291)
6+
37
# 1.8.0
48

59
- Update log4j dependencies to v 2.16.0 (#287)

gradle.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
VERSION_NAME=1.8.1-SNAPSHOT
1+
VERSION_NAME=1.8.1
22
GROUP=com.rollbar
33

44
POM_DESCRIPTION=For connecting your applications built on the JVM to Rollbar for Error Reporting

rollbar-log4j2/README.md

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,36 @@
11
# Rollbar Log4j 2 integration
22

3-
This directory contains the Log4j 2 integration of the Rollbar Java SDK.
3+
This directory contains the Log4j 2 integration of the Rollbar Java SDK.
44

55
Instructions for building and contributing to the SDK can be found in the main repository [README](../README.md).
66

77
## Compatibility
88

9-
Staring with version `1.8.0`, `rollbar-log4j2` depends on version `2.16.0` of `log4j-core`. This removes compatibility with Java 7, but was a necessary upgrade to fix the CVE-2021-44228 vulnerability in Log4j.
9+
Staring with version `1.8.0`, `rollbar-log4j2` depends on version `2.16.0` (or later) of `log4j-core`.
10+
This removes compatibility with Java 7, but was a necessary upgrade to fix the following vulnerabilites in Log4j:
1011

11-
Projects built and / or running with Java 7 can still use `rollbar-log4j2` version `1.8.0`, while forcing the use of a **vulnerable**, Java 7 compatible version of `Log4j`, by updating their build configuration to ignore transitive dependencies from `rollbar-log4j2`.
12+
- CVE-2021-44228
13+
- CVE-2021-45046
14+
- CVE-2021-45105
15+
16+
Projects built and/or running with Java 7 can still use `rollbar-log4j2` version `1.8.0+`,
17+
while forcing the use of a **vulnerable**, Java 7 compatible version of `Log4j`,
18+
by updating their build configuration to ignore transitive dependencies from `rollbar-log4j2`.
1219

1320
Gradle configuration:
1421

1522
```gradle
1623
dependencies {
17-
implementation(group: 'com.rollbar', name: 'rollbar-log4j2', version: '1.8.0') {
24+
implementation(group: 'com.rollbar', name: 'rollbar-log4j2', version: '1.8.1') {
1825
exclude group: 'org.apache.logging.log4j'
1926
}
2027
21-
implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.12.1'
22-
annotationProcessor group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.12.1'
28+
implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.12.2'
29+
annotationProcessor group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.12.2'
2330
}
2431
2532
```
2633

27-
Note CVE-2021-44228 is a major RCE vulnerability and this approach should only be used after a thorough security analysis, and with very strong mitigations in place.
34+
While CVE-2021-44228 and CVE-2021-45046 are already fixed in `2.12.2`, CVE-2021-45105 is **not** fixed for Java 7.
35+
Note CVE-2021-45105 is a high DoS vulnerability and this approach should only be used after a thorough security analysis, and with very strong mitigations in place.
2836

0 commit comments

Comments
 (0)