[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?
|
Denis,
I believe that only Passage depends on this older version:

The SimRel dependency analysis tool I'm currently developing will
be able to give a more definitive answer...
Regards,
Ed
On 10.12.2021 20:49, Denis Roy wrote:
So, yes, Eclipse 2021-12 is vulnerable
as 2.0.0 < 2.8.2 < 2.14.1
On 2021-12-10 14:39, Ed Merks wrote:
Denis,
You can see the versions of log4j in the 2021-12 release
here:
https://www.eclipse.org/downloads/download.php?format=xml&file=/releases/2021-12/202112081000&countryCode=us&timeZone=1&format=xml
These I think:
On 10.12.2021 20:11, Denis Roy
wrote:
I guess I'm trying to determine if
there are any versions of Eclipse, Jetty, jGit, etc that
are vulnerable.
For instance, we use Gerrit 3.2.7,
which may contain a vulnerability.
Denis
On 2021-12-10 14:02, Matthew
Khouzam via cross-project-issues-dev wrote:
|
Apache Log4j2
<=2.14.1 JNDI features used in
configuration, log messages, and parameters do
not protect against attacker controlled LDAP
and other JNDI related endpoints. An attacker
who can control log messages or log message
parameters can execute arbitrary code loaded
from LDAP servers when ...
nvd.nist.gov
|
It's
for log4j2 between 2.0.0 and 2.14.1
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev