ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gintautas Grigelionis <g.grigelio...@gmail.com>
Subject Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability
Date Wed, 07 Feb 2018 18:03:13 GMT
Exactly, what I meant is that it's worth pointing out that not even all
versions of log4j 2.x are safe.

Gintas

2018-02-07 18:18 GMT+01:00 Stefan Bodewig <bodewig@apache.org>:

> On 2018-02-07, Gintautas Grigelionis wrote:
>
> > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
> > Log4j 1.x issue. Did I miss something?
>
> The subject is how it has been reported to us.
>
> Prior to the latest releases you have not been able to use log4j2 so
> there is no reason to talk about those versions. The recommended
> mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> correct, one might add "of a log4j 2.x version that is not vulnerable to
> the attack".
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
> For additional commands, e-mail: dev-help@ant.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message