Exactly, what I meant is that it's worth pointing out that not even all versions of log4j 2.x are safe.
Gintas 2018-02-07 18:18 GMT+01:00 Stefan Bodewig <bode...@apache.org>: > On 2018-02-07, Gintautas Grigelionis wrote: > > > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only > > Log4j 1.x issue. Did I miss something? > > The subject is how it has been reported to us. > > Prior to the latest releases you have not been able to use log4j2 so > there is no reason to talk about those versions. The recommended > mitigation of "don't use Log4JListener or use the log4j2-bridge" is > correct, one might add "of a log4j 2.x version that is not vulnerable to > the attack". > > Stefan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org > For additional commands, e-mail: dev-h...@ant.apache.org > >