Dependency org.apache.logging.log4j:log4j-core has multiple CVE against it

[jairmyree]

The latest release of classif takes dependency on org.apache.logging.log4j:log4j-core:jar:2.11.2 which has multiple direct CVEs against it.
This CVEs are being passed into the latest release of org.revapi:revapi-java (version 0.28.0).
Please release a version with the dependency org.apache.logging.log4j:log4j-core upgraded to version 2.17.1 or greater where these direct CVEs have been resolved.

I'm linking here the issue that I've opened with revapi as well.
revapi/revapi#284