[
https://issues.apache.org/jira/browse/DOXIATOOLS-67?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Elliotte Rusty Harold updated DOXIATOOLS-67:
--------------------------------------------
Description:
It also has known security issues. Do we really need this in our classpath?
A security vulnerability, CVE-2019-17571 has been identified against Log4j 1.
Log4j includes a SocketServer that accepts serialized log events and
deserializes them without verifying whether the objects are allowed or not.
This can provide an attack vector that can be expoited. Since Log4j 1 is no
longer maintained this issue will not be fixed. Users are urged to upgrade to
Log4j 2.
was:
It also has known security issues. Do we really need this in out classpath?
A security vulnerability, CVE-2019-17571 has been identified against Log4j 1.
Log4j includes a SocketServer that accepts serialized log events and
deserializes them without verifying whether the objects are allowed or not.
This can provide an attack vector that can be expoited. Since Log4j 1 is no
longer maintained this issue will not be fixed. Users are urged to upgrade to
Log4j 2.
> log4j 1.2 is unsupported
> ------------------------
>
> Key: DOXIATOOLS-67
> URL: https://issues.apache.org/jira/browse/DOXIATOOLS-67
> Project: Maven Doxia Tools
> Issue Type: Dependency upgrade
> Components: Doxia Linkcheck
> Affects Versions: doxia-linkcheck-1.2
> Reporter: Elliotte Rusty Harold
> Priority: Critical
>
> It also has known security issues. Do we really need this in our classpath?
> A security vulnerability, CVE-2019-17571 has been identified against Log4j 1.
> Log4j includes a SocketServer that accepts serialized log events and
> deserializes them without verifying whether the objects are allowed or not.
> This can provide an attack vector that can be expoited. Since Log4j 1 is no
> longer maintained this issue will not be fixed. Users are urged to upgrade to
> Log4j 2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
