Remote code injection in Log4j(CVE-2021-44228)

[yangbodong22011]

refer: GHSA-jfh8-c2jp-5v3q

Jedis only use log4j in test scope, but it doesn’t seem to be necessary to use it, may be we can modify the test and remove the dependency.

[yangbodong22011]

I see this #2723, but correct version is 2.15.0-rc2

[sazzad16]

I see this #2723, but correct version is 2.15.0-rc2

@yangbodong22011 I've checked it and got confused because the tests are passing!

[yangbodong22011]

I see this #2723, but correct version is 2.15.0-rc2

@yangbodong22011 I've checked it and got confused because the tests are passing!

I didn't understand what you meant, shouldn't it be passed?

Cve vulnerabilities may cause problems only when they are attacked, and we only rely on test scope.

[sazzad16]

I see this #2723, but correct version is 2.15.0-rc2

@yangbodong22011 I have also found rc2 to be latest which was published just yesterday. But tests in that PR are passing using a final/GA release. I find this confusing.

[yangbodong22011]

@yangbodong22011 I have also found rc2 to be latest which was published just yesterday. But tests in that PR are passing using a final/GA release. I find this confusing.

ohh, I think the robot is only pushing a suggested version, but our tests(CodeQL / Analyze, Code scanning, LGTM analysis, ci/circleci) does not include the corresponding cve test?

[sazzad16]

Closed by #2723