From 0ab603f39ca6cb04856129f57611dcb818b3ffe8 Mon Sep 17 00:00:00 2001
From: Stephen McConnachie <stephen.mcconnachie@bfi.org.uk>
Date: Thu, 14 May 2026 09:59:57 +0100
Subject: [PATCH] fix: upgrade Log4j from 2.25.3 to 2.25.4 (CVE-2026-34480)

Apache Log4j Core 2.25.3 and earlier are vulnerable to CVE-2026-34480
(CVSS 7.5 HIGH): XmlLayout fails to sanitize characters forbidden by
the XML 1.0 spec, producing malformed XML or throwing exceptions
(depending on StAX implementation), causing silent log event loss.

Upgrade to 2.25.4 which sanitises forbidden characters before output.

See: https://nvd.nist.gov/vuln/detail/CVE-2026-34480
---
 droid-parent/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/droid-parent/pom.xml b/droid-parent/pom.xml
index 1ce7bd96e..6418b335c 100644
--- a/droid-parent/pom.xml
+++ b/droid-parent/pom.xml
@@ -106,7 +106,7 @@
         <jwat.version>1.1.3</jwat.version>
         <hamcrest.version>3.0</hamcrest.version>
         <slf4j.version>2.0.17</slf4j.version>
-        <log4j2.version>2.25.3</log4j2.version>
+        <log4j2.version>2.25.4</log4j2.version>
         <checkstyle.version>10.21.2</checkstyle.version>
         <aws.version>2.41.15</aws.version>
         <junit.version>6.0.2</junit.version>