On Wed, Dec 15, 2021 at 6:13 AM Daniel Sahlberg <daniel.l.sahlb...@gmail.com> wrote: > > Hi, > > There has been several different requests regarding if Subversion is > vulnerable to the latest log4j problem. Should we write a new item about this > for the web site? Several people (Pavel Lyalyakin, Mark Phippard) has made > valuable comments and I can (with their permission) distil some condensed > reply.
Yes, it is a good idea. Make sure it is directly linkable as I expect the questions will still come to the mailing list. I would suggest using our News items and/or FAQ. I no longer work at CollabNet but I still took a quick look at the most recent version of SVN Edge. It is a Java app, so I suspected it might be vulnerable via a transitive dependency. The best I can tell it is not vulnerable though. It would still be worth telling users to contact the vendor of the distro they are using but I do not think there is any issue. AFAIK, SVN Edge was the only one that uses Java for the web interface. Mark
