Can someone pls remind me which release of Lucee d...
# cfml-general
Can someone pls remind me which release of Lucee deals with the Log4J issue?
Not the "we're so out of date it doesn't matter" version, but the version that updates the Log4J version to the current patched version. I've lost track.
😂 1
Pretty sure that was 5.3.9
I searched the #lucee archives -- note: it also deletes any log4j 1.x bundles it finds
(you expressed outrage about that at the time 🙂 )
I don't know whether they backported it to any earlier versions (I doubt it).
"outrage" might be overstating it. "Derision as to whether that is part of Lucee's remit" might be more like it. And I recall that it was reflecting/agreeing-with/amplifying the zeitgeist.
But cheers. As a member of the public who can't search slack channel archives... how do I arrive that this "5.3.9" conclusion? Looking for a public-facing "5.3.9: fixes Log4J vuln" note or something to that effect.
Looks like 5.3.9 is still in the RC phase so there's no single release notes doc yet.
☝️ 1
I tried this GH search but the commit messages aren't entirely helpful (and recent commits about this seem to only refer to the 6.x stream):
Yeah this touches on why I was asking. There seemed to be a flurry of intended action initially and then it kinda disappeared into a mias_m_a of uncertainty
Off topic: @Adam Cameron is "miasa" meant to be "miasma"? Was attempting to look up this word 🙂
@Adam Cameron The Dev Forums seems to be the best place for release information:
Ah! Nice one.