From 07a139c927f3c4c6f57f5567b536cbaa9a89a44e Mon Sep 17 00:00:00 2001
From: Chris Beams <chris@beams.io>
Date: Mon, 20 Dec 2021 07:34:04 +0100
Subject: [PATCH] Upgrade log4j 2.15.0 => 2.17.0

This change upgrades log4j to patch fixes for recently documented
CVE-2021-45046 CVE-2021-45105 vulnerabilities related to the Log4Shell
exploit.

Like the earlier fix, Bisq does not appear to be vulnerable to these
exploits because it does not use log4j directly, only transitively
depends on it. Nevertheless, the upgrade is still the safe bet.
---
 build.gradle                     |  2 +-
 gradle/verification-metadata.xml | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index f2fcab99b3..9a3d754f95 100644
--- a/build.gradle
+++ b/build.gradle
@@ -584,7 +584,7 @@ configure(project(':pricenode')) {
         "Implementation-Title": project.name,
         "Implementation-Version": version)
 
-    ext['log4j2.version'] = '2.15.0'
+    ext['log4j2.version'] = '2.17.0'
 
     dependencies {
         implementation project(":common")
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 14358c550f..9e193a8ddf 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -1888,6 +1888,11 @@
             <sha256 value="3f745daa4ea6dc2606525bd4279bf30062066bd223866adb7f5eee46dcf76a03" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.logging.log4j" name="log4j" version="2.17.0">
+         <artifact name="log4j-2.17.0.pom">
+            <sha256 value="8704606faeb779d6d2904f02ca616e0b981fe389d9fe9b89ec84a1e42aee81d2" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.logging.log4j" name="log4j-api" version="2.11.0">
          <artifact name="log4j-api-2.11.0.jar">
             <sha256 value="fa5828950269b0ae425c96d889f18f40b336e9fa886841ae06bb9225511f1217" origin="Generated by Gradle"/>
@@ -1912,6 +1917,14 @@
             <sha256 value="cc75a1281e48700547a81336b564f512a7226e995800bf88ab849ab5adbffa47" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.logging.log4j" name="log4j-api" version="2.17.0">
+         <artifact name="log4j-api-2.17.0.jar">
+            <sha256 value="ab9cadc80e234580e3f3c8c18644314fccd4b3cd3f7085d4e934866cb561b95d" origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="log4j-api-2.17.0.pom">
+            <sha256 value="6422d9af59acb0077e8a91c7c34a4062ff56a9731c34836a72427084e27aa479" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.logging.log4j" name="log4j-bom" version="2.14.1">
          <artifact name="log4j-bom-2.14.1.pom">
             <sha256 value="a9cef896837f42c6d950b1ce44e2bc1eeeadb246d6c484e07ddd99fb8c022c59" origin="Generated by Gradle"/>
@@ -1922,6 +1935,11 @@
             <sha256 value="99b95442cfaf64ba478ef06d869fefdf3dd959fec78263e59f55cec5ac98b485" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.logging.log4j" name="log4j-bom" version="2.17.0">
+         <artifact name="log4j-bom-2.17.0.pom">
+            <sha256 value="befed280f53ce4866012c9d82b1a7ab46efe26ea3969aee9172845e3a114f222" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.logging.log4j" name="log4j-core" version="2.11.0">
          <artifact name="log4j-core-2.11.0.jar">
             <sha256 value="c32029b32da3d8cf2feca0790a4bc2331ea7eb62ab368a8980b90c7d8c8101e0" origin="Generated by Gradle"/>
@@ -1946,6 +1964,14 @@
             <sha256 value="79c17ecc56a70d466c13bd5926c75c42d7f8bcdbbcfb7d9770e616c013531d1a" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.logging.log4j" name="log4j-to-slf4j" version="2.17.0">
+         <artifact name="log4j-to-slf4j-2.17.0.jar">
+            <sha256 value="df8a9a9d06368a87abd04051597310cc7a501762ab0cd7492ba106df92862c78" origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="log4j-to-slf4j-2.17.0.pom">
+            <sha256 value="24d195ba852929def67345ea9c2a52e6d6d470b86bee3a2fd64e087fe5a0151b" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.tomcat.embed" name="tomcat-embed-core" version="9.0.54">
          <artifact name="tomcat-embed-core-9.0.54.jar">
             <sha256 value="287f5b91c434df0eef104389c52c480ab4b66f80b494c16607fd82ae9217f8e3" origin="Generated by Gradle"/>