ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability
Date Wed, 07 Feb 2018 17:18:24 GMT
On 2018-02-07, Gintautas Grigelionis wrote:

> The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
> Log4j 1.x issue. Did I miss something?

The subject is how it has been reported to us.

Prior to the latest releases you have not been able to use log4j2 so
there is no reason to talk about those versions. The recommended
mitigation of "don't use Log4JListener or use the log4j2-bridge" is
correct, one might add "of a log4j 2.x version that is not vulnerable to
the attack".

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message