Re: [wtp-dev] Security vulnerabilities found in Apache Log4j included in

[Nitin Dahyabhai <thatnitind@xxxxxxxxx>]

Hi Kit,

I've reviewed and accepted those changes into the intended branch and for 3.25, but like the Platform, we don't typically build the maintenance branches any more.

On Mon, Feb 14, 2022 at 7:22 PM Kit Lo <kitlo@xxxxxxxxxx> wrote:

Dear WTP Committers,

You probably heard about the security vulnerabilities found in Apache Log4j at the end of last year. It's impacting many software projects in the industry, including Eclipse, and WTP specifically.

 

After investigation, we found that WTP is including Apache Log4j 1.2.15, all the way from the very old WTP 3.8 to the current WTP 3.25.

 

I opened Bug 577951 requesting WTP to upgrade to the latest Log4j 2.x or totally remove the dependency on Log4j 1.x.

Even though Web Services has confirmed that Web Services is not impacted by this Log4j 1.x security vulnerability, however the fact that Log4j 1.x has been out of support since August 2015 and is not receiving any security updates makes many Eclipse/WTP users worry.

A few contributors jumped in to help, did a detail analysis, and came up with a potential fix. Could any WTP committers help review and accept the change ASAP? That will greatly benefit the whole Eclipse community.

Thank you!

Regards,

Kit Lo

Eclipse Babel Project Lead

IBM Eclipse SDK (IES) Technical Lead and Release Manager

_______________________________________________
wtp-dev mailing list
wtp-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/wtp-dev

--

Regards,

Nitin Dahyabhai

Eclipse WTP PMC