Hi Kit, I've reviewed and accepted those changes into the intended branch and for 3.25, but like the Platform, we don't typically build the maintenance branches any more.
On Mon, Feb 14, 2022 at 7:22 PM Kit Lo <ki...@us.ibm.com> wrote: > Dear WTP Committers, > > > You probably heard about the security vulnerabilities found in Apache > Log4j at the end of last year. It's impacting many software projects in the > industry, including Eclipse, and WTP specifically. > > > > After investigation, we found that WTP is including Apache Log4j 1.2.15, > all the way from the very old WTP 3.8 to the current WTP 3.25. > > > > I opened *Bug 577951* > <https://bugs.eclipse.org/bugs/show_bug.cgi?id=577951> requesting WTP to > upgrade to the latest Log4j 2.x or totally remove the dependency on Log4j > 1.x. > > > Even though Web Services has confirmed that Web Services is not impacted > by this Log4j 1.x security vulnerability, however the fact that Log4j 1.x > has been out of support since August 2015 and is not receiving any security > updates makes many Eclipse/WTP users worry. > > A few contributors jumped in to help, did a detail analysis, and came > up with a potential fix. Could any WTP committers help review and accept > the change ASAP? That will greatly benefit the whole Eclipse community. > > Thank you! > > Regards, > Kit Lo > Eclipse Babel Project Lead > IBM Eclipse SDK (IES) Technical Lead and Release Manager > _______________________________________________ > wtp-dev mailing list > wtp-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/wtp-dev > -- Regards, Nitin Dahyabhai Eclipse WTP PMC
_______________________________________________ wtp-dev mailing list wtp-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/wtp-dev
