|Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?|
I believe that only Passage depends on this older version:
The SimRel dependency analysis tool I'm currently developing will be able to give a more definitive answer...
So, yes, Eclipse 2021-12 is vulnerable as 2.0.0 < 2.8.2 < 2.14.1
On 2021-12-10 14:39, Ed Merks wrote:
You can see the versions of log4j in the 2021-12 release here:
These I think:
- org.apache.log4j 1.2.15.v201012070815 ( 418.9K ) ( 144.3K )
- org.apache.logging.log4j 2.8.2.v20200818-1118 ( 1.6M ) ( 462.7K )
On 10.12.2021 20:11, Denis Roy wrote:
I guess I'm trying to determine if there are any versions of Eclipse, Jetty, jGit, etc that are vulnerable.
For instance, we use Gerrit 3.2.7, which may contain a vulnerability.
On 2021-12-10 14:02, Matthew Khouzam via cross-project-issues-dev wrote:
nvd.nist.govIt's for log4j2 between 2.0.0 and 2.14.1
From: cross-project-issues-dev <cross-project-issues-dev-bounces@xxxxxxxxxxx> on behalf of Denis Roy <denis.roy@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, December 10, 2021 1:46 PM
To: Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>
Subject: [cross-project-issues-dev] log4j vulnerability in Eclipse?
As you may be aware, an important vulnerability has been discovered in log4j
If I recall, log4j is used in Eclipse components. Does anyone have a feel for our current state? Is 2021-12 affected?
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
Back to the top