Can someone pls remind me which release of Lucee deals with the Log4J issue?
Adam Cameron
04/13/2022, 11:09 PM
Not the "we're so out of date it doesn't matter" version, but the version that updates the Log4J version to the current patched version.
I've lost track.
😂 1
s
seancorfield
04/13/2022, 11:24 PM
Pretty sure that was 5.3.9
seancorfield
04/13/2022, 11:25 PM
I searched the #lucee archives -- note: it also deletes any log4j 1.x bundles it finds
seancorfield
04/13/2022, 11:25 PM
(you expressed outrage about that at the time 🙂 )
seancorfield
04/13/2022, 11:27 PM
I don't know whether they backported it to any earlier versions (I doubt it).
a
Adam Cameron
04/13/2022, 11:30 PM
"outrage" might be overstating it. "Derision as to whether that is part of Lucee's remit" might be more like it. And I recall that it was reflecting/agreeing-with/amplifying the zeitgeist.
Adam Cameron
04/13/2022, 11:33 PM
But cheers.
As a member of the public who can't search slack channel archives... how do I arrive that this "5.3.9" conclusion? Looking for a public-facing "5.3.9: fixes Log4J vuln" note or something to that effect.
s
seancorfield
04/13/2022, 11:38 PM
Looks like 5.3.9 is still in the RC phase so there's no single release notes doc yet.
Yeah this touches on why I was asking. There seemed to be a flurry of intended action initially and then it kinda disappeared into a mias_m_a of uncertainty
r
ryan
04/14/2022, 2:03 PM
Off topic: @Adam Cameron is "miasa" meant to be "miasma"? Was attempting to look up this word 🙂