[
https://issues.apache.org/jira/browse/PDFBOX-5346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tilman Hausherr closed PDFBOX-5346.
-----------------------------------
Resolution: Invalid
2.0.12 is 3 years old and that means you should improve your practices. Old jar
versions means more risks (bugs), and we have security issues too sometimes.
Run your builds with the maven-versions-plugin and the dependency-check-maven
plugin
https://www.mojohaus.org/versions-maven-plugin/
https://github.com/jeremylong/DependencyCheck
> PDFBox 2.0.12 | Regarding log4j 0 day vulnerability
> ---------------------------------------------------
>
> Key: PDFBOX-5346
> URL: https://issues.apache.org/jira/browse/PDFBOX-5346
> Project: PDFBox
> Issue Type: Task
> Affects Versions: 2.0.12
> Reporter: Amit Maheshwari
> Priority: Critical
>
> We are using PDFBox 2.0.12 in our software.
> We found that 'commons logging' is dependency of PDFBox and Log4J is
> dependency of commons logging.
> We have not done any explicit configuration for log4j, in that case, will the
> PDFBox or Commons Logging will consume Log4J solution by any chance?
> If yes, what is recommendation of avoiding it (and any possibility to
> compromise due to 0 day vulnerability present in Log4J in 2.0.12)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
