On Sun, Dec 12, 2021 at 7:31 AM Pavel Lyalyakin <pavel.lyalya...@visualsvn.com> wrote: > > On Sun, Dec 12, 2021 at 5:34 AM surbhi khandelwal <surbhi...@gmail.com> wrote: >> >> Hi >> >> I am using svn, version 1.6.11 (r934486) on rhel 1.6 could you kindly help >> me understand if this is vulnerable to the latest java vulnaribility >> >> >> Httpd version im using is 2.2.15 >> >> Looking for your help >> >> > > Apache Subversion and Apache HTTP Server are not Java applications. > Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not > depend on log4j either. > > Note that you are using outdated Subversion and Apache HTTP Server versions. > They are affected by numerous issues, and you should consider upgrading to > supported versions. The most recent versions are Subversion 1.14.1 and Apache > HTTP Server 2.4.51.
I was typing up the same reply ... neither Subversion nor httpd would be directly impacted by this but you are running old versions with other problems so you should look to upgrade. The log4j vulnerability only impacts apps that use a JVM, so in terms of Subversion you would probably just want to look for any web apps you might be using with your Subversion server such as a repository browser or other tool that is written in Java. But a vanilla Subversion server (or client) should be fine. Mark
