On 2018-02-07, Gintautas Grigelionis wrote: > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only > Log4j 1.x issue. Did I miss something?
The subject is how it has been reported to us. Prior to the latest releases you have not been able to use log4j2 so there is no reason to talk about those versions. The recommended mitigation of "don't use Log4JListener or use the log4j2-bridge" is correct, one might add "of a log4j 2.x version that is not vulnerable to the attack". Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
