Do note that reload4j is not 100% compatible with log4j 1.2.17, code has just be deleted to "fix" some CVEs.
Gary On Thu, Mar 3, 2022, 08:37 Bernd Eckenfels <e...@zusammenkunft.net> wrote: > All of the (known) remaining log4j1.x security bugs (none of which are as > severe as log4shell) are fixed in reload4j 1.2.18+. If you need to stick > with 1.2 you should use that. Otherwise you can try to migrate to the log4j > bridge, it’s compatibility was increased in 2.17.2 or 2.12.4. > > Gruss > Bernd > -- > http://bernd.eckenfels.net > ________________________________ > Von: Martin Gainty <mgai...@hotmail.com> > Gesendet: Thursday, March 3, 2022 1:18:50 PM > An: Maven Developers List <dev@maven.apache.org> > Cc: David Milet <david.mi...@gmail.com>; iss...@maven.apache.org < > iss...@maven.apache.org>; VZ-Product-OneTalk < > vz-product-onet...@verizon.com>; Danylo Volokh < > danylo.vol...@globallogic.com> > Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities > > I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security > Vulnerabity? > Is this not the case? > Thanks John > M. > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > > -------- Original message -------- > From: John Patrick <nhoj.patr...@gmail.com> > Date: 3/3/22 4:07 AM (GMT-05:00) > To: Maven Developers List <dev@maven.apache.org> > Cc: David Milet <david.mi...@gmail.com>, iss...@maven.apache.org, > VZ-Product-OneTalk <vz-product-onet...@verizon.com>, Danylo Volokh < > danylo.vol...@globallogic.com> > Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities > > Sorry I thought you where talking about log4j v2, not v1. I can see it > downloads the metadata about the project but non or the jars; > local-repo/log4j > local-repo/log4j/log4j > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > local-repo/log4j > local-repo/log4j/log4j > local-repo/log4j/log4j/1.2.12 > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > local-repo/log4j/log4j/1.2.12/_remote.repositories > > So I would still say false positive, as the jar is not actually used. > > But looking at the dependency tree it would need the apache commons to > update commons-logging:commons-logging, then > ommons-digester:commons-digester then org.apache.velocity:velocity-tools, > then it gets to the 1st dependency within the maven ecosystem. > So 5 ish patches to 5 separate projects to upgrade, test and release, each > before then next pr can progress. > > John > > > On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs <li...@selckin.be> wrote: > > > That was just to demonstrate how i got the dependency chain, that file > > was there, but if you're going to be this hostile, i'm not interested > > anymore, muting thread > > > > On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło <piotr.zygi...@gmail.com> > > wrote: > > > > > > On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs <li...@selckin.be> wrote: > > > > > > > > Can confirm this project downloads log4j 1.12.12 for me > > > > > > As I see it - you confirm something else. > > > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > _artifact descriptor_ > > > > > > -- > > > Piotrek > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > >
