On Wed, Dec 15, 2021 at 7:25 AM Pavel Lyalyakin <pavel.lyalya...@visualsvn.com> wrote: > > > > On Wed, Dec 15, 2021 at 2:13 PM Daniel Sahlberg <daniel.l.sahlb...@gmail.com> > wrote: >> >> Hi, >> >> There has been several different requests regarding if Subversion is >> vulnerable to the latest log4j problem. Should we write a new item about >> this for the web site? Several people (Pavel Lyalyakin, Mark Phippard) has >> made valuable comments and I can (with their permission) distil some >> condensed reply. >> >> Kind regards, >> Daniel > > > There is one piece of information that hasn't been mentioned yet. Subversion > repository hooks can be written in practically any programming language > including Java. I see that there are instructions on the web for writing > Java-based hooks that use Log4j as a dependency (google "writing subversion > hooks in java"). Users have to examine their hook scripts to ensure that they > are not vulnerable. > > BTW, you can find the announcement from VisualSVN Team regarding CVE-44228 > (Log4Shell) at > https://www.visualsvn.com/company/news/visualsvn-products-are-not-affected-by-CVE-2021-44228.
I suspect we do not want to be responsible for providing all of these links here but I created a similar page for SVN Edge here: https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/Log4Shell Mark
