1.2.5 Release

Fixed broken directory traversal on Windows (caused by symbolic link skipping), See #23 (comment)

1.2.4 Release

• Skip /proc and /sys directories. See #25
• Fixed infinite loop caused by symbolic link. See #25
• Fixed backup failure in symbolic link scenario. See #23
  • Fixed version uses copy instead of rename to keep inode number.
  • Fixed version truncates original file to 0 and rewrite JAR file using backup file.

1.2.3 Release

• Added --force-fix option for automation. See #14
• Print error message if patch is failed. See #13
• Support also Java EE .ear file. See #10

1.2.2 Release

• Added --trace option for diagnose. See #9
• Added WAR support. See #10

1.2.1 Release

Fixed vulnerability summary report. See #8

1.2.0 Release

• Support nested jar detection and mitigation patch (spring fat jar). See #3
• Fixed OOB caused by major.minor version format (e.g. 2.0). See #4
• Fixed exception handling of user input. See #5

1.1.1 Release

Fixed vulnerable version check. See #1

1.1.0 Release

Added --fix option to immediate mitigation patch. Use it at your own risk.

1.0.1 Release

Added mitigation check.

• Check if org/apache/logging/log4j/core/lookup/JndiLookup.class is removed.
• Added (mitigated) tag to message.

1.0.0 Release

First release