From dev-return-90533-archive-asf-public=cust-asf.ponee.io@ant.apache.org Wed Feb 7 08:11:25 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 7342C180676 for ; Wed, 7 Feb 2018 08:11:25 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 636FC160C5B; Wed, 7 Feb 2018 07:11:25 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id AAFCB160C3C for ; Wed, 7 Feb 2018 08:11:24 +0100 (CET) Received: (qmail 16692 invoked by uid 500); 7 Feb 2018 07:11:23 -0000 Mailing-List: contact dev-help@ant.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Ant Developers List" Reply-To: "Ant Developers List" Delivered-To: mailing list dev@ant.apache.org Received: (qmail 16396 invoked by uid 99); 7 Feb 2018 07:11:22 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Feb 2018 07:11:22 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 2567B1A00A2; Wed, 7 Feb 2018 07:11:22 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.999 X-Spam-Level: ** X-Spam-Status: No, score=2.999 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id mYNYMqhSxmXn; Wed, 7 Feb 2018 07:11:20 +0000 (UTC) Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.75]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 4FB305F2F0; Wed, 7 Feb 2018 07:11:18 +0000 (UTC) Received: from JanmySN ([88.78.237.124]) by mrelayeu.kundenserver.de (mreue101 [212.227.15.183]) with ESMTPSA (Nemesis) id 0MejHM-1eLDSU3Mfg-00OJVr; Wed, 07 Feb 2018 08:11:06 +0100 From: =?iso-8859-1?Q?Jan_Mat=E8rne_=28jhm=29?= To: "'Ant Users List'" , "'Ant Developers List'" , , Subject: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability Date: Wed, 7 Feb 2018 08:11:02 +0100 Message-ID: <001601d39fe2$d062fd90$7128f8b0$@de> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0017_01D39FEB.32276590" X-Mailer: Microsoft Office Outlook 12.0 Content-Language: de Thread-Index: AdOf4s8rnTkS6pz3Sq663AkbK/UNrw== X-Provags-ID: V03:K0:52EKZemgET9ItNtwQHicmhZk64+EEp55XezObgT3RGn4DSdaV8c Wq6Qv2bcO9JTtZS70y2ZgC0E2G/YosLVfppLLKz9llYgJhPA0AbcCzqVpsnjgUk/FvomIDh YNoJpskb6ljAleZFb0Ye1mob6/iBlbWYu7+VBoT3n/kWLlPN51sMDJAH4cfu6IL3L6T4tW+ 4GyK8gETQBS63BH23l8Iw== X-UI-Out-Filterresults: notjunk:1;V01:K0:XCychJmRFww=:n5J6A/45XvF0YLmjQua2av PSsxNtqofhw6e1dZl5jWBhzLZ+Qdrr5B6XZKZ/K+b7F22V47LSD7aNP12a127yss542RlS9V/ QSN91FYMvQCUv1R0ScwF4ehfnQ5WeESWPNLGxdxi5kqLpNsm4UinDWwnGY07HNaFA8Wc2sCaI zwl0uMqrEerpg7zZ8bbKdmVBEiDdTkfuMFthGvB8iLVaPYB2zR0y5mBx9CfGCBmfpdk57i8cI wPsy2ClYQVpmzl7qWgHRQyj479xzdJ9qoDgA/tNH8qrHMLSdWSuMhPFw5D8PChcCvUcmCRN2c 7L7dLVgQwMzAE1TxK8m31Wo8kJTFF+/jnM51DO4fbApndBGHunpnJ6VHDRuS6UDz7r0yR5Qxy sXS0IonVT+1RgPdmGPM1y3M/mZCFyy4C07aFKxbAfm7QqtruB3jMu6lFGYT8uUVkDvISH1tPv hx/W1d8YaiSlMNU9PLVP8WVw1hDTPdnBSiflCql2zBnfx3mm35xYNg5Es6EwsPrmqcisDdJ1i Fc5wscVoFvAplRNKXNCwrosTClU084XIKHNSnub+T9lPXAz2gMIBPLLSTNuXA5VGk/YCLOwab BbB1+gKqpALhH/mhAFbz4ghuzouIf30w/oeZhLU5fQdoQb5tOsrLzS17KkSYCtK3MZoQ0ibQ/ /iLLH7pthgf+C8YafeUAFpaAI9Vk67O9661gFX9ZMlfv2t/oQd0BOW3H59KlNzDHc2j77KsFi LPRSY8Cqc2akvImlYg/gEJqhjLOe8RphdbNIO1XWdZKig97C/7GtLmD2By4= ------=_NextPart_000_0017_01D39FEB.32276590 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 = security vulnerability =20 Severity: low Vendor: The Apache Software Foundation Versions Affected: Apache Ant 1.9.0 - 1.9.9 Apache Ant 1.10.0 - 1.10.1 The unsupported Apache Ant 1.8 and lower versions are also affected. Description: When using Apache Ants Log4jListener there could be a security issue = with the underlying Apache Log4j library in version 1.x.=20 Please note that Log4j 1.x has reached its end of life and is no = longer maintained.=20 For details about migrating away from Log4j 1.x please consult with = the Apache Log4j team. Mitigation: Users should not use the Log4JListener or use the log4j2-bridge. (Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.) Credit:=20 This issue was discovered by Wade Schwarz of Oracle. =20 =20 -Jan Mat=E8rne on behalf of the Apache Ant PMC ------=_NextPart_000_0017_01D39FEB.32276590--