You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Sylwester Lachiewicz (Jira)" <ji...@apache.org> on 2021/06/03 09:22:00 UTC

[jira] [Assigned] (DOXIATOOLS-67) log4j 1.2 is unsupported

     [ https://issues.apache.org/jira/browse/DOXIATOOLS-67?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sylwester Lachiewicz reassigned DOXIATOOLS-67:
----------------------------------------------

    Assignee: Elliotte Rusty Harold

> log4j 1.2 is unsupported
> ------------------------
>
>                 Key: DOXIATOOLS-67
>                 URL: https://issues.apache.org/jira/browse/DOXIATOOLS-67
>             Project: Maven Doxia Tools
>          Issue Type: Dependency upgrade
>          Components: Doxia Linkcheck
>    Affects Versions: doxia-linkcheck-1.2
>            Reporter: Elliotte Rusty Harold
>            Assignee: Elliotte Rusty Harold
>            Priority: Critical
>
> It also has known security issues. Do we really need this in our classpath?
> A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)