Update log4j dependency to 2.17.1 (#479)

* Change log4j dependency to 2.17.1
* Change signers version to 1.0.24
* Update changelog entries for next release

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 21.10.5
+### Bugs Fixed
+- Updated to log4j 2.17.1. Resolves two potential vulnerabilities which are only exploitable when using custom log4j configurations that are either writable by untrusted users or log data from the `ThreadContext`.
+
+---
+## 21.10.4
+### Bugs Fixed
+- Updated log4j to 2.17.0 to mitigate potential DOS vulnerability when the logging configuration uses a non-default Pattern Layout with a Context Lookup.
+
+---
 ## 21.10.3
 
 ### Bugs fixed

gradle/versions.gradle

@@ -43,10 +43,12 @@ dependencyManagement {
 
     dependency 'javax.activation:activation:1.1.1'
 
-    dependency 'org.apache.logging.log4j:log4j-api:2.17.0'
-    dependency 'org.apache.logging.log4j:log4j:2.17.0'
-    dependency 'org.apache.logging.log4j:log4j-core:2.17.0'
-    dependency 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0'
+    dependencySet(group: 'org.apache.logging.log4j', version: '2.17.1') {
+      entry 'log4j-api'
+      entry 'log4j'
+      entry 'log4j-core'
+      entry 'log4j-slf4j-impl'
+    }
 
     dependencySet(group: 'org.apache.tuweni', version: '0.10.0') {
       entry 'tuweni-net'
@@ -90,7 +92,7 @@ dependencyManagement {
 
     dependency 'tech.pegasys:jblst:0.3.3-1'
 
-    dependencySet(group: 'tech.pegasys.signers.internal', version: '1.0.23') {
+    dependencySet(group: 'tech.pegasys.signers.internal', version: '1.0.24') {
       entry 'bls-keystore'
       entry 'keystorage-hashicorp'
       entry 'keystorage-azure'