| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| Lagom 1.6.7 Released! source code.tar.gz | 2021-12-13 | 3.6 MB | |
| Lagom 1.6.7 Released! source code.zip | 2021-12-13 | 4.9 MB | |
| README.md | 2021-12-13 | 1.1 kB | |
| Totals: 3 Items | 8.5 MB | 1 | |
As previously explained in the Lightbend blog post, Lagom doesn't use log4j 2 directly, but it can be included as an opt-in.
With this release, the log4j version that can be included in a Lagom application is upgraded to version 2.15.0, the version that addresses the CVE-2021-44228 vulnerability.
Moreover, we discover that the Kafka broker library used in dev-mode was including an old version of log4j (v1.2.17) and that for no reason. This was never a real concern because this library is never deployed on a running Lagom application, but to avoid confusion and false alarms this obsolete dependency has been removed.
What's Changed
- [1.6.x] Upgrade to log4j 2.15 to address CVE-2021-44228 by @octonato in https://github.com/lagom/lagom/pull/3325
- Hint that upgrading to Akka HTTP 10.2 is fine (backport [#3319]) by @mergify in https://github.com/lagom/lagom/pull/3326
- remove explicit dependency on log4j in kafka brokers by @octonato in https://github.com/lagom/lagom/pull/3327
Full Changelog: https://github.com/lagom/lagom/compare/1.6.6...1.6.7