You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Sylwester Lachiewicz (Jira)" <ji...@apache.org> on 2021/06/03 09:22:00 UTC
[jira] [Assigned] (DOXIATOOLS-67) log4j 1.2 is unsupported
[ https://issues.apache.org/jira/browse/DOXIATOOLS-67?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sylwester Lachiewicz reassigned DOXIATOOLS-67:
----------------------------------------------
Assignee: Elliotte Rusty Harold
> log4j 1.2 is unsupported
> ------------------------
>
> Key: DOXIATOOLS-67
> URL: https://issues.apache.org/jira/browse/DOXIATOOLS-67
> Project: Maven Doxia Tools
> Issue Type: Dependency upgrade
> Components: Doxia Linkcheck
> Affects Versions: doxia-linkcheck-1.2
> Reporter: Elliotte Rusty Harold
> Assignee: Elliotte Rusty Harold
> Priority: Critical
>
> It also has known security issues. Do we really need this in our classpath?
> A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)