You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@pdfbox.apache.org by Thomas Möller <th...@muenster.de> on 2021/12/16 08:43:26 UTC
log4j vulnerability?
Hello,
is the use of the prebuild pdfbox.jar in any manner affected by the log4j security problems?
Best Regards, Thomas M.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org
Re: log4j vulnerability?
Posted by Andreas Lehmkuehler <an...@lehmi.de>.
Am 19.12.21 um 12:32 schrieb Gilad Denneboom:
> That's good to know, but when I generate a jar file with only PDFBox
> (v2.0.25) as a dependent library, I can still see a Log4J class in it,
> under org\apache\commons\logging\impl\.
> Is it not used? If so, can that dependency be removed? If it is used, what
> version is it, please?
That's a log4j-wrapper from commons-io which has an optional dependency to log4j
1.2.17, see https://issues.apache.org/jira/browse/PDFBOX-5346 for further details
Andreas
>
> On Thu, Dec 16, 2021 at 11:03 AM Tilman Hausherr <TH...@t-online.de>
> wrote:
>
>> No
>>
>> Tilman
>>
>> Am 16.12.2021 um 09:43 schrieb Thomas Möller:
>>> Hello,
>>>
>>> is the use of the prebuild pdfbox.jar in any manner affected by the
>> log4j security problems?
>>>
>>> Best Regards, Thomas M.
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org
Re: log4j vulnerability?
Posted by Gilad Denneboom <gi...@gmail.com>.
That's good to know, but when I generate a jar file with only PDFBox
(v2.0.25) as a dependent library, I can still see a Log4J class in it,
under org\apache\commons\logging\impl\.
Is it not used? If so, can that dependency be removed? If it is used, what
version is it, please?
On Thu, Dec 16, 2021 at 11:03 AM Tilman Hausherr <TH...@t-online.de>
wrote:
> No
>
> Tilman
>
> Am 16.12.2021 um 09:43 schrieb Thomas Möller:
> > Hello,
> >
> > is the use of the prebuild pdfbox.jar in any manner affected by the
> log4j security problems?
> >
> > Best Regards, Thomas M.
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> > For additional commands, e-mail: users-help@pdfbox.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: users-help@pdfbox.apache.org
>
>
Re: log4j vulnerability?
Posted by Tilman Hausherr <TH...@t-online.de>.
No
Tilman
Am 16.12.2021 um 09:43 schrieb Thomas Möller:
> Hello,
>
> is the use of the prebuild pdfbox.jar in any manner affected by the log4j security problems?
>
> Best Regards, Thomas M.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: users-help@pdfbox.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org