You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by John Kostaras <jk...@gmail.com> on 2021/12/15 16:41:51 UTC
Fwd: log4j and NetBeans
Hallo,
regarding the latest
- Apache CVE: CVE-2021-44228
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>
- Apache security advisory: Apache Log4j Security Vulnerabilities
<https://logging.apache.org/log4j/2.x/security.html>
$ find . -name pom.xml | xargs grep log4j
$ find . -type f | xargs grep log4j
./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" />
./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" />
Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches
./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files:
ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar
ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar
ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar
ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar
ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar
ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar
ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar
ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar
ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar
ant-xz-1.10.8.jar
./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279
org.apache.ant:ant-apache-log4j:1.10.8
./extide/o.apache.tools.ant.module/external/build.xml:
<include name="ant-apache-log4j-1.10.8.jar" />
./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B
log4j:log4j:1.2.15
./ide/html.validation/external/log4j-1.2.15-license.txt:URL:
http://logging.apache.org/log4j/
Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches
Binary file ./ide/html.validation/external/validator-20200626-patched.jar
matches
./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar
./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar
./ide/html.validation/nbproject/project.xml:
<runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path>
./ide/html.validation/nbproject/project.xml:
<binary-origin>external/log4j-1.2.15.jar</binary-origin>
./java/projectimport.eclipse.core/test/unit/data/71770.classpath:
<classpathentry kind="lib" path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/>
/nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar
Apache-2.0-ant
./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar
Apache-2.0
./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12
./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml:
<file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/>
Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar matches
./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml:
<file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/>
Binary file
./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar
matches
./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar
Apache-2.0-ant
./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar
Apache-2.0
./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12
In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm
missing something. In other words, NetBeans is secure by using old log4j
versions.
Best regards,
JK.
Re: log4j and NetBeans
Posted by Carl Mosca <ca...@gmail.com>.
Actually I was wondering about the find command arguments.
Sorry just asking.
On Wed, Dec 15, 2021 at 5:14 PM Michael Bien <mb...@gmail.com> wrote:
> You misinterpreted what i was trying to say. I did not want to imply
> that NB is vulnerable (i haven't checked). All i said is that log4j1 is
> EOL and has open vulnerabilities. Even if it would not have open CVEs,
> it still would have to be dropped at some point.
>
> On 15.12.21 23:08, Carl Mosca wrote:
> > Is this inaccurate:
> >
> > Note that only the log4j-core JAR file is impacted by this vulnerability.
> > Applications using only the log4j-api JAR file without the log4j-core JAR
> > file are not impacted by this vulnerability.
> >
> >
> > On Wed, Dec 15, 2021 at 5:01 PM Michael Bien <mb...@gmail.com>
> wrote:
> >
> >> there is value to move eventually from log4j 1 to a maintained lib since
> >> its EOL and has open CVEs too.
> >>
> >> On 15.12.21 19:37, Eric Bresie wrote:
> >>> Is there any value in eventually upgrading to a new log4j (i.e. log4j
> >> 2.15
> >>> or newer)?
> >>>
> >>> Eric
> >>>
> >>> On Wed, Dec 15, 2021 at 10:45 AM John Kostaras <jk...@gmail.com>
> >> wrote:
> >>>> Hallo,
> >>>>
> >>>> regarding the latest
> >>>>
> >>>> - Apache CVE: CVE-2021-44228
> >>>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>
> >>>> - Apache security advisory: Apache Log4j Security Vulnerabilities
> >>>> <https://logging.apache.org/log4j/2.x/security.html>
> >>>>
> >>>>
> >>>> $ find . -name pom.xml | xargs grep log4j
> >>>> $ find . -type f | xargs grep log4j
> >>>>
> >>>>
> >>
> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
> >>>> kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" />
> >>>>
> >>>>
> >>>>
> >>
> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
> >>>> kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" />
> >>>>
> >>>> Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches
> >>>>
> >>>>
> >>
> ./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files:
> >>>> ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar
> >>>> ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar
> >>>> ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar
> >>>> ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar
> >>>> ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar
> >>>> ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar
> >>>> ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar
> >>>> ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar
> >>>> ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar
> >>>> ant-xz-1.10.8.jar
> >>>>
> >>>>
> >>>>
> >>
> ./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279
> >>>> org.apache.ant:ant-apache-log4j:1.10.8
> >>>>
> >>>> ./extide/o.apache.tools.ant.module/external/build.xml:
> >>>> <include name="ant-apache-log4j-1.10.8.jar" />
> >>>>
> >>>>
> >>>>
> >>
> ./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B
> >>>> log4j:log4j:1.2.15
> >>>> ./ide/html.validation/external/log4j-1.2.15-license.txt:URL:
> >>>> http://logging.apache.org/log4j/
> >>>> Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches
> >>>> Binary file
> >> ./ide/html.validation/external/validator-20200626-patched.jar
> >>>> matches
> >>>>
> >>>>
> >>
> ./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar
> >>>>
> >>
> ./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar
> >>>> ./ide/html.validation/nbproject/project.xml:
> >>>> <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path>
> >>>> ./ide/html.validation/nbproject/project.xml:
> >>>> <binary-origin>external/log4j-1.2.15.jar</binary-origin>
> >>>>
> >>>> ./java/projectimport.eclipse.core/test/unit/data/71770.classpath:
> >>>> <classpathentry kind="lib"
> >> path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/>
> >>>>
> >>
> /nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar
> >>>> Apache-2.0-ant
> >>>>
> >>
> ./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar
> >>>> Apache-2.0
> >>>> ./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12
> >>>>
> >>>>
> >>
> ./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml:
> >>>> <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/>
> >>>> Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar
> matches
> >>>>
> >>>>
> >>>>
> >>
> ./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml:
> >>>> <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/>
> >>>> Binary file
> >>>>
> >>
> ./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar
> >>>> matches
> >>>> ./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar
> >>>> Apache-2.0-ant
> >>>> ./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar
> >>>> Apache-2.0
> >>>>
> >>>> ./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12
> >>>>
> >>>> In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm
> >>>> missing something. In other words, NetBeans is secure by using old
> log4j
> >>>> versions.
> >>>>
> >>>> Best regards,
> >>>>
> >>>> JK.
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> >> For additional commands, e-mail: dev-help@netbeans.apache.org
> >>
> >> For further information about the NetBeans mailing lists, visit:
> >> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
> >>
> >>
> >>
> >> --
> > Regards,
> > Carl
> >
>
> --
Regards,
Carl
Re: log4j and NetBeans
Posted by Michael Bien <mb...@gmail.com>.
You misinterpreted what i was trying to say. I did not want to imply
that NB is vulnerable (i haven't checked). All i said is that log4j1 is
EOL and has open vulnerabilities. Even if it would not have open CVEs,
it still would have to be dropped at some point.
On 15.12.21 23:08, Carl Mosca wrote:
> Is this inaccurate:
>
> Note that only the log4j-core JAR file is impacted by this vulnerability.
> Applications using only the log4j-api JAR file without the log4j-core JAR
> file are not impacted by this vulnerability.
>
>
> On Wed, Dec 15, 2021 at 5:01 PM Michael Bien <mb...@gmail.com> wrote:
>
>> there is value to move eventually from log4j 1 to a maintained lib since
>> its EOL and has open CVEs too.
>>
>> On 15.12.21 19:37, Eric Bresie wrote:
>>> Is there any value in eventually upgrading to a new log4j (i.e. log4j
>> 2.15
>>> or newer)?
>>>
>>> Eric
>>>
>>> On Wed, Dec 15, 2021 at 10:45 AM John Kostaras <jk...@gmail.com>
>> wrote:
>>>> Hallo,
>>>>
>>>> regarding the latest
>>>>
>>>> - Apache CVE: CVE-2021-44228
>>>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>
>>>> - Apache security advisory: Apache Log4j Security Vulnerabilities
>>>> <https://logging.apache.org/log4j/2.x/security.html>
>>>>
>>>>
>>>> $ find . -name pom.xml | xargs grep log4j
>>>> $ find . -type f | xargs grep log4j
>>>>
>>>>
>> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
>>>> kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" />
>>>>
>>>>
>>>>
>> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
>>>> kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" />
>>>>
>>>> Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches
>>>>
>>>>
>> ./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files:
>>>> ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar
>>>> ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar
>>>> ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar
>>>> ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar
>>>> ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar
>>>> ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar
>>>> ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar
>>>> ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar
>>>> ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar
>>>> ant-xz-1.10.8.jar
>>>>
>>>>
>>>>
>> ./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279
>>>> org.apache.ant:ant-apache-log4j:1.10.8
>>>>
>>>> ./extide/o.apache.tools.ant.module/external/build.xml:
>>>> <include name="ant-apache-log4j-1.10.8.jar" />
>>>>
>>>>
>>>>
>> ./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B
>>>> log4j:log4j:1.2.15
>>>> ./ide/html.validation/external/log4j-1.2.15-license.txt:URL:
>>>> http://logging.apache.org/log4j/
>>>> Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches
>>>> Binary file
>> ./ide/html.validation/external/validator-20200626-patched.jar
>>>> matches
>>>>
>>>>
>> ./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar
>>>>
>> ./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar
>>>> ./ide/html.validation/nbproject/project.xml:
>>>> <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path>
>>>> ./ide/html.validation/nbproject/project.xml:
>>>> <binary-origin>external/log4j-1.2.15.jar</binary-origin>
>>>>
>>>> ./java/projectimport.eclipse.core/test/unit/data/71770.classpath:
>>>> <classpathentry kind="lib"
>> path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/>
>>>>
>> /nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar
>>>> Apache-2.0-ant
>>>>
>> ./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar
>>>> Apache-2.0
>>>> ./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12
>>>>
>>>>
>> ./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml:
>>>> <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/>
>>>> Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar matches
>>>>
>>>>
>>>>
>> ./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml:
>>>> <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/>
>>>> Binary file
>>>>
>> ./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar
>>>> matches
>>>> ./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar
>>>> Apache-2.0-ant
>>>> ./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar
>>>> Apache-2.0
>>>>
>>>> ./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12
>>>>
>>>> In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm
>>>> missing something. In other words, NetBeans is secure by using old log4j
>>>> versions.
>>>>
>>>> Best regards,
>>>>
>>>> JK.
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
>> For additional commands, e-mail: dev-help@netbeans.apache.org
>>
>> For further information about the NetBeans mailing lists, visit:
>> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>>
>>
>>
>> --
> Regards,
> Carl
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: log4j and NetBeans
Posted by Carl Mosca <ca...@gmail.com>.
Is this inaccurate:
Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR
file are not impacted by this vulnerability.
On Wed, Dec 15, 2021 at 5:01 PM Michael Bien <mb...@gmail.com> wrote:
> there is value to move eventually from log4j 1 to a maintained lib since
> its EOL and has open CVEs too.
>
> On 15.12.21 19:37, Eric Bresie wrote:
> > Is there any value in eventually upgrading to a new log4j (i.e. log4j
> 2.15
> > or newer)?
> >
> > Eric
> >
> > On Wed, Dec 15, 2021 at 10:45 AM John Kostaras <jk...@gmail.com>
> wrote:
> >
> >> Hallo,
> >>
> >> regarding the latest
> >>
> >> - Apache CVE: CVE-2021-44228
> >> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>
> >> - Apache security advisory: Apache Log4j Security Vulnerabilities
> >> <https://logging.apache.org/log4j/2.x/security.html>
> >>
> >>
> >> $ find . -name pom.xml | xargs grep log4j
> >> $ find . -type f | xargs grep log4j
> >>
> >>
> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
> >> kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" />
> >>
> >>
> >>
> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
> >> kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" />
> >>
> >> Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches
> >>
> >>
> ./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files:
> >> ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar
> >> ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar
> >> ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar
> >> ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar
> >> ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar
> >> ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar
> >> ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar
> >> ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar
> >> ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar
> >> ant-xz-1.10.8.jar
> >>
> >>
> >>
> ./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279
> >> org.apache.ant:ant-apache-log4j:1.10.8
> >>
> >> ./extide/o.apache.tools.ant.module/external/build.xml:
> >> <include name="ant-apache-log4j-1.10.8.jar" />
> >>
> >>
> >>
> ./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B
> >> log4j:log4j:1.2.15
> >> ./ide/html.validation/external/log4j-1.2.15-license.txt:URL:
> >> http://logging.apache.org/log4j/
> >> Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches
> >> Binary file
> ./ide/html.validation/external/validator-20200626-patched.jar
> >> matches
> >>
> >>
> ./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar
> >>
> >>
> ./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar
> >> ./ide/html.validation/nbproject/project.xml:
> >> <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path>
> >> ./ide/html.validation/nbproject/project.xml:
> >> <binary-origin>external/log4j-1.2.15.jar</binary-origin>
> >>
> >> ./java/projectimport.eclipse.core/test/unit/data/71770.classpath:
> >> <classpathentry kind="lib"
> path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/>
> >>
> >>
> /nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar
> >> Apache-2.0-ant
> >>
> ./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar
> >> Apache-2.0
> >> ./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12
> >>
> >>
> ./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml:
> >> <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/>
> >> Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar matches
> >>
> >>
> >>
> ./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml:
> >> <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/>
> >> Binary file
> >>
> ./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar
> >> matches
> >> ./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar
> >> Apache-2.0-ant
> >> ./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar
> >> Apache-2.0
> >>
> >> ./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12
> >>
> >> In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm
> >> missing something. In other words, NetBeans is secure by using old log4j
> >> versions.
> >>
> >> Best regards,
> >>
> >> JK.
> >>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
> --
Regards,
Carl
Re: log4j and NetBeans
Posted by Michael Bien <mb...@gmail.com>.
there is value to move eventually from log4j 1 to a maintained lib since
its EOL and has open CVEs too.
On 15.12.21 19:37, Eric Bresie wrote:
> Is there any value in eventually upgrading to a new log4j (i.e. log4j 2.15
> or newer)?
>
> Eric
>
> On Wed, Dec 15, 2021 at 10:45 AM John Kostaras <jk...@gmail.com> wrote:
>
>> Hallo,
>>
>> regarding the latest
>>
>> - Apache CVE: CVE-2021-44228
>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>
>> - Apache security advisory: Apache Log4j Security Vulnerabilities
>> <https://logging.apache.org/log4j/2.x/security.html>
>>
>>
>> $ find . -name pom.xml | xargs grep log4j
>> $ find . -type f | xargs grep log4j
>>
>> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
>> kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" />
>>
>>
>> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
>> kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" />
>>
>> Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches
>>
>> ./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files:
>> ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar
>> ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar
>> ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar
>> ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar
>> ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar
>> ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar
>> ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar
>> ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar
>> ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar
>> ant-xz-1.10.8.jar
>>
>>
>> ./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279
>> org.apache.ant:ant-apache-log4j:1.10.8
>>
>> ./extide/o.apache.tools.ant.module/external/build.xml:
>> <include name="ant-apache-log4j-1.10.8.jar" />
>>
>>
>> ./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B
>> log4j:log4j:1.2.15
>> ./ide/html.validation/external/log4j-1.2.15-license.txt:URL:
>> http://logging.apache.org/log4j/
>> Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches
>> Binary file ./ide/html.validation/external/validator-20200626-patched.jar
>> matches
>>
>> ./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar
>>
>> ./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar
>> ./ide/html.validation/nbproject/project.xml:
>> <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path>
>> ./ide/html.validation/nbproject/project.xml:
>> <binary-origin>external/log4j-1.2.15.jar</binary-origin>
>>
>> ./java/projectimport.eclipse.core/test/unit/data/71770.classpath:
>> <classpathentry kind="lib" path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/>
>>
>> /nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar
>> Apache-2.0-ant
>> ./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar
>> Apache-2.0
>> ./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12
>>
>> ./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml:
>> <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/>
>> Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar matches
>>
>>
>> ./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml:
>> <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/>
>> Binary file
>> ./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar
>> matches
>> ./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar
>> Apache-2.0-ant
>> ./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar
>> Apache-2.0
>>
>> ./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12
>>
>> In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm
>> missing something. In other words, NetBeans is secure by using old log4j
>> versions.
>>
>> Best regards,
>>
>> JK.
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: log4j and NetBeans
Posted by Eric Bresie <eb...@gmail.com>.
Is there any value in eventually upgrading to a new log4j (i.e. log4j 2.15
or newer)?
Eric
On Wed, Dec 15, 2021 at 10:45 AM John Kostaras <jk...@gmail.com> wrote:
> Hallo,
>
> regarding the latest
>
> - Apache CVE: CVE-2021-44228
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>
> - Apache security advisory: Apache Log4j Security Vulnerabilities
> <https://logging.apache.org/log4j/2.x/security.html>
>
>
> $ find . -name pom.xml | xargs grep log4j
> $ find . -type f | xargs grep log4j
>
> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
> kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" />
>
>
> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry
> kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" />
>
> Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches
>
> ./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files:
> ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar
> ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar
> ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar
> ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar
> ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar
> ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar
> ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar
> ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar
> ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar
> ant-xz-1.10.8.jar
>
>
> ./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279
> org.apache.ant:ant-apache-log4j:1.10.8
>
> ./extide/o.apache.tools.ant.module/external/build.xml:
> <include name="ant-apache-log4j-1.10.8.jar" />
>
>
> ./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B
> log4j:log4j:1.2.15
> ./ide/html.validation/external/log4j-1.2.15-license.txt:URL:
> http://logging.apache.org/log4j/
> Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches
> Binary file ./ide/html.validation/external/validator-20200626-patched.jar
> matches
>
> ./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar
>
> ./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar
> ./ide/html.validation/nbproject/project.xml:
> <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path>
> ./ide/html.validation/nbproject/project.xml:
> <binary-origin>external/log4j-1.2.15.jar</binary-origin>
>
> ./java/projectimport.eclipse.core/test/unit/data/71770.classpath:
> <classpathentry kind="lib" path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/>
>
> /nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar
> Apache-2.0-ant
> ./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar
> Apache-2.0
> ./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12
>
> ./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml:
> <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/>
> Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar matches
>
>
> ./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml:
> <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/>
> Binary file
> ./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar
> matches
> ./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar
> Apache-2.0-ant
> ./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar
> Apache-2.0
>
> ./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12
>
> In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm
> missing something. In other words, NetBeans is secure by using old log4j
> versions.
>
> Best regards,
>
> JK.
>
--
Eric Bresie
ebresie@gmail.com