ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gintautas Grigelionis <g.grigelio...@gmail.com>
Subject Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability
Date Wed, 07 Feb 2018 14:54:36 GMT
The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
Log4j 1.x issue. Did I miss something?

Gintas

2018-02-07 8:11 GMT+01:00 Jan Matèrne (jhm) <apache@materne.de>:

> CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security
> vulnerability
>
>
>
> Severity: low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
>
>   Apache Ant 1.9.0 - 1.9.9
>
>   Apache Ant 1.10.0 - 1.10.1
>
>   The unsupported Apache Ant 1.8 and lower versions are also affected.
>
> Description:
>
>   When using Apache Ants Log4jListener there could be a security issue with
> the
>
>   underlying Apache Log4j library in version 1.x.
>
>   Please note that Log4j 1.x has reached its end of life and is no longer
> maintained.
>
>   For details about migrating away from Log4j 1.x please consult with the
> Apache Log4j team.
>
> Mitigation:
>
>   Users should not use the Log4JListener or use the log4j2-bridge.
>
>   (Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.)
>
> Credit:
>
>   This issue was discovered by Wade Schwarz of Oracle.
>
>
>
>
>
> -Jan Matèrne
>
> on behalf of the Apache Ant PMC
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message