fix: pax-logging-log4j2 ranges affected by CVE-2021-44832
#5523
Conversation
This PR fixes the ranges of `pax-logging-log4j2` affected by CVE-2021-44832. In my previous PRs for CVE-44832 (github#5504) all versions 1.x of `pax-logging-log4j2` were listed as affected. As it turns out, this is incorrect, since 7 security releases of version 1.x were created to address those issues, as summarized by the table below: | PAX Logging version | Log4j Core version | Fixed CVEs | |---------------------|--------------------|--------------------------------| | 1.9.2 | 2.12.4 | all 4 CVEs | | 1.10.8 | 2.12.2 | CVE-2021-44228, CVE-2021-45046 | | 1.10.9 | 2.12.4 | CVE-2021-45105, CVE-2021-44832 | | 1.11.10 | 2.15.0 | CVE-2021-44228 | | 1.11.11 | 2.16.0 | CVE-2021-45046 | | 1.11.12 | 2.17.0 | CVE-2021-45105 | | 1.11.13 | 2.17.1 | CVE-2021-44832 |
There was a problem hiding this comment.
Pull Request Overview
This PR updates the version ranges for the Maven package "org.ops4j.pax.logging:pax-logging-log4j2" affected by CVE-2021-44832. Key changes include adding a fixed version "1.9.2", introducing new ranges for versions "1.10.0"–"1.10.9" and "1.11.0"–"1.11.13", and specifying a range for version "2.0.0"–"2.0.14".
advisories/github-reviewed/2022/01/GHSA-8489-44mv-ggj8/GHSA-8489-44mv-ggj8.json
Show resolved
Hide resolved
advisories/github-reviewed/2022/01/GHSA-8489-44mv-ggj8/GHSA-8489-44mv-ggj8.json
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull Request Overview
This PR corrects the affected version ranges of pax-logging-log4j2 for CVE-2021-44832 in the advisory JSON.
- Added the fixed version for 1.x between 1.8.0 and 1.9.2.
- Introduced two new range entries for versions 1.10.x and 1.11.x, and retained the existing 2.0.x range update.
73ab9f3
into
github:ppkarwasz/advisory-improvement-5523
|
Hi @ppkarwasz! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
This PR fixes the ranges of
pax-logging-log4j2affected by CVE-2021-44832.In my previous PRs for CVE-44832 (#5504) all versions 1.x of
pax-logging-log4j2were listed as affected. As it turns out, this is incorrect, since 7 security releases of version 1.x were created to address those issues, as summarized by the table below: