Dear WTP Committers,
You probably heard about the security vulnerabilities found in Apache Log4j at the end of last year. It's impacting
many software projects in the industry, including Eclipse, and WTP specifically.
After investigation, we found that WTP is including Apache Log4j 1.2.15, all the way from the very old WTP 3.8 to
the current WTP 3.25.
I opened Bug 577951 requesting
WTP to upgrade to the latest Log4j 2.x or totally remove the dependency on Log4j
1.x.
Even though Web Services has confirmed that Web Services is not impacted by this Log4j 1.x
security vulnerability, however the fact that Log4j 1.x has been out of support since August 2015 and is not receiving any security updates makes many Eclipse/WTP users worry.
A few contributors jumped in to help, did a detail analysis, and came up with
a potential fix. Could any WTP committers help review and accept the change ASAP? That
will greatly benefit the whole Eclipse community.
Thank you!
Regards,
Kit Lo
Eclipse Babel Project Lead
IBM Eclipse SDK (IES) Technical Lead and Release Manager
|