HHH-20334 Upgrade to Log4j 2.25.4

yrodiere · yrodiere · commit 7b10d2c8fe07 · 2026-04-13T15:35:32.000+02:00
Technically we only: 1. Use it for testing 2. Have an API dependency in hibernate-testing, which provides some tools to work with log4j So the various CVEs are not really relevant: * https://logging.apache.org/security.html#CVE-2026-34478 * https://logging.apache.org/security.html#CVE-2026-34479 * https://logging.apache.org/security.html#CVE-2026-34481 Still, let’s avoid the noise related to automated tools reporting the problem.
diff --git a/settings.gradle b/settings.gradle
@@ -177,7 +177,7 @@ dependencyResolutionManagement {
             def bytemanVersion = version "byteman", "4.0.24"
             def jbossJtaVersion = version "jbossJta", "7.2.2.Final"
             def jbossTxSpiVersion = version "jbossTxSpi", "8.0.0.Final"
-            def log4jVersion = version "log4j", "2.24.3"
+            def log4jVersion = version "log4j", "2.25.4"
             def mockitoVersion = version "mockito", "5.14.2"
             def shrinkwrapVersion = version "shrinkwrap", "1.2.6"
             def shrinkwrapDescriptorsVersion = version "shrinkwrapDescriptors", "2.0.0"
