cas-management-overlay and recent log4j vulnerabilities

[Phil Hale]

Hello folks,

I'm trying to figure out a way to update the log4j in the cas-management-overlay from 2.14.0 to 2.17.0, so far without success.  Does anyone have some documentation or information on how to do this?  I've tried building from the cas-management 6.3.x source and run into other issues.  Any help or advise would be greatly appreciated.

Thanks,

Phil

[Travis Schmidt]

We need to update the 6.3.x branch to use 2.17, before you can use it in the overlay.  I have a patch PR submitted now not sure when it will be available in the repository.  You can pull the 6.3.x build directly, update log4j, build a version to your local maven and then point your overlay to that local build to get by until it is in the repo.

Travis

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1977eaf-be46-4158-b8d2-4ec675cf73bbn%40apereo.org.

[Pablo Vidaurri]

I'm assuming this will resolve the 404 when setting cas version to 6.3.7.4 inside of cas template?

[Pablo Vidaurri]

Sorry, was referring to this 404: https://mvnrepository.com/artifact/org.apereo.cas/cas-server-core-api-configuration-model/6.3.7.4