git-as-svn / git-as-svn

Subversion frontend server for Git repositories

https://git-as-svn.github.io/git-as-svn/htmlsingle/git-as-svn.html

log4j

mkunzecw opened this issue 2 years ago · comments

mkunzecw commented 2 years ago

The debian releases contain vulnerable log4j version

https://github.com/slonopotamus/git-as-svn/blob/4b8cdcc4c4472101378ea35e593f029a41e87831/build.gradle.kts#L103

Marat Radchenko commented 2 years ago

Are you aware of any log4j version that is not vulnerable?

2.17.0 is also broken: https://nvd.nist.gov/vuln/detail/CVE-2021-44832

Marat Radchenko commented 2 years ago

Possibly the proper fix is to get rid of log4j completely.

Marat Radchenko commented 2 years ago

git-as-svn 2.0.0 was just released. It includes log4j 2.17.1.

mkunzecw commented 2 years ago

agree, but thanks for the fix!