On Thu, Dec 16, 2021 at 12:50 AM Daniel Sahlberg < daniel.l.sahlb...@gmail.com> wrote:
> Den ons 15 dec. 2021 kl 15:32 skrev Mark Phippard <markp...@gmail.com>: > >> On Wed, Dec 15, 2021 at 7:25 AM Pavel Lyalyakin >> <pavel.lyalya...@visualsvn.com> wrote: >> > >> > >> > >> > On Wed, Dec 15, 2021 at 2:13 PM Daniel Sahlberg < >> daniel.l.sahlb...@gmail.com> wrote: >> >> >> >> Hi, >> >> >> >> There has been several different requests regarding if Subversion is >> vulnerable to the latest log4j problem. Should we write a new item about >> this for the web site? Several people (Pavel Lyalyakin, Mark Phippard) has >> made valuable comments and I can (with their permission) distil some >> condensed reply. >> >> >> >> Kind regards, >> >> Daniel >> > >> > >> > There is one piece of information that hasn't been mentioned yet. >> Subversion repository hooks can be written in practically any programming >> language including Java. I see that there are instructions on the web for >> writing Java-based hooks that use Log4j as a dependency (google "writing >> subversion hooks in java"). Users have to examine their hook scripts to >> ensure that they are not vulnerable. >> > >> > BTW, you can find the announcement from VisualSVN Team regarding >> CVE-44228 (Log4Shell) at >> https://www.visualsvn.com/company/news/visualsvn-products-are-not-affected-by-CVE-2021-44228 >> . >> >> I suspect we do not want to be responsible for providing all of these >> links here but I created a similar page for SVN Edge here: >> >> >> https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/Log4Shell >> >> Mark >> > > https://subversion.apache.org/#news-20211215 > > (waiting for the native-english-speakers to roast me :-) ) > It seems that the list markup is wrong. There should be <ul> (unordered list) tag instead of <p> (paragraph). I also think that it makes sense to include links to the SVN Edge's page[1] and the announcement made by VisualSVN Team[2]. E.g., something like "some vendors have already announced that their distributions are not vulnerable to CVE-2021-44228". some vendors already announced that their distros are not vulnerable [1]: https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/Log4Shell [2]: https://www.visualsvn.com/company/news/visualsvn-products-are-not-affected-by-CVE-2021-44228 -- With best regards, Pavel Lyalyakin VisualSVN Team
