That's good to know, but when I generate a jar file with only PDFBox (v2.0.25) as a dependent library, I can still see a Log4J class in it, under org\apache\commons\logging\impl\. Is it not used? If so, can that dependency be removed? If it is used, what version is it, please?
On Thu, Dec 16, 2021 at 11:03 AM Tilman Hausherr <thaush...@t-online.de> wrote: > No > > Tilman > > Am 16.12.2021 um 09:43 schrieb Thomas Möller: > > Hello, > > > > is the use of the prebuild pdfbox.jar in any manner affected by the > log4j security problems? > > > > Best Regards, Thomas M. > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > > For additional commands, e-mail: users-h...@pdfbox.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > For additional commands, e-mail: users-h...@pdfbox.apache.org > >
