Resolve log4j (Java7) vulnerability in Simple Java Mail's CLI module #365
Comments
bbottema
changed the title
|
6.6.2 released. |
bbottema
changed the title
bbottema
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Technically, Simple Java Mail doesn't depend on log4j for general use; it is only included in the stand-alone CLI distribution so the dependency (and its vulnerability) is basically never exposed to the public domain. So if you're just using it as a dependency in your project, you're good and you don't really need a new version.
However, to just avoid any ambiguity about this and satisfy the dependency analyzers, I'll just resolve this issue and move to 2.12.3 which fixes it for Java 7 (see https://logging.apache.org/log4j/2.x/security.html). This will be released in Simple Java Mail 6.6.2.
For the next major version 7.0.0 I will further update to 2.17.0, which fixes it for Java 8 and up.
The text was updated successfully, but these errors were encountered: