Re: [Davmail-users] Davmail and the CVE-2021-44228-Log4j?
Brought to you by:
mguessan
Menu
▾
▴
Re: [Davmail-users] Davmail and the CVE-2021-44228-Log4j?
|
From: Geert S. <sta...@st...> - 2021-12-14 15:09:27
|
On Tue, Dec 14, 2021 at 08:52:50AM +0100, Ole Holm Nielsen via Davmail-users wrote: > Hi, > > We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS 7.9. > However, it's only a few days ago that the Vulnerability in Apache Log4j > (CVE-2021-44228-Log4j) was announced. We note that Davmail includes a log4j > component: > > $ rpm -ql davmail | grep log4j > /usr/share/davmail/lib/log4j-1.2.16.jar > /usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar > > Question: Is davmail vulnerable to log4j? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684 discusses the same concern > If so, > when could we expect a security fix? Qouting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#17 Also, since a while already, Java now has its own internal logging framework (java.util.logging.Logger), so there should be less and less reason to use potentially unsafe third-party logging libraries (but switching to java's internal logging might be more difficult to do in the short run than just upgrading to a newer version). Groeten Geert Stappers -- Silence is hard to parse |
