Re: [Davmail-users] Davmail and the CVE-2021-44228-Log4j?
Brought to you by:
mguessan
Menu
▾
▴
Re: [Davmail-users] Davmail and the CVE-2021-44228-Log4j?
|
From: Mickaël G. <mgu...@fr...> - 2021-12-14 17:23:39
|
The good news is that DavMail is *not* vulnerable to latest Log4J 2 CVE as it depends on log4J version 1. Regards, Le 14/12/2021 à 08:52, Ole Holm Nielsen via Davmail-users a écrit : > Hi, > > We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS > 7.9. However, it's only a few days ago that the Vulnerability in > Apache Log4j (CVE-2021-44228-Log4j) was announced. We note that > Davmail includes a log4j component: > > $ rpm -ql davmail | grep log4j > /usr/share/davmail/lib/log4j-1.2.16.jar > /usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar > > Question: Is davmail vulnerable to log4j? If so, when could we expect > a security fix? > > Thanks, > Ole > |
