Maarten, I just pushed a change to Ivy upstream to not force existing
implementations of this URLHandler to understand timeout constraints and
yet have the feature available for other implementations. When you get a
chance, can you please try the IvyIdea plugin build/test with the latest
Ivy an
After 2.8.2, there's a class whitelist used for deserializing data in the
receiver.
On 7 February 2018 at 12:19, Gintautas Grigelionis
wrote:
> Sorry, could you please clarify whether there different aspects pertaining
> to 1.x and 2.x up to and after 2.8.2?
>
> Thanks, Gintas
>
> 2018-02-07 19:
Sorry, could you please clarify whether there different aspects pertaining
to 1.x and 2.x up to and after 2.8.2?
Thanks, Gintas
2018-02-07 19:10 GMT+01:00 Matt Sicker :
> Based on that version, this is related to using Java serialization for
> logs. The general workaround here is to use a differ
2018-02-07 18:25 GMT+01:00 Stefan Bodewig :
>
> Maybe it will be easier to digest if we start at a higher level of what
> needs to be changed. I don't think moving classes so we don't have any
> split packages anymore will be enough.
>
> I'd expect we'd need to replace all code that deals with cla
Based on that version, this is related to using Java serialization for
logs. The general workaround here is to use a different format like JSON
instead to avoid the vulnerability entirely.
On 7 February 2018 at 12:03, Gintautas Grigelionis
wrote:
> Exactly, what I meant is that it's worth pointi
Exactly, what I meant is that it's worth pointing out that not even all
versions of log4j 2.x are safe.
Gintas
2018-02-07 18:18 GMT+01:00 Stefan Bodewig :
> On 2018-02-07, Gintautas Grigelionis wrote:
>
> > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
> > Log4j 1.x is
On 2018-02-07, Gintautas Grigelionis wrote:
> 2018-02-07 11:44 GMT+01:00 Stefan Bodewig :
>> My fear is that if the classpath world stops working then a completely
>> different version of Ant will be required. A version that has to break
>> backwards compatibility in many ways. I'd appreciate any
On 2018-02-07, Gintautas Grigelionis wrote:
> The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
> Log4j 1.x issue. Did I miss something?
The subject is how it has been reported to us.
Prior to the latest releases you have not been able to use log4j2 so
there is no reason t
The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only
Log4j 1.x issue. Did I miss something?
Gintas
2018-02-07 8:11 GMT+01:00 Jan Matèrne (jhm) :
> CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security
> vulnerability
>
>
>
> Severity: low
>
> Vendor: The A
2018-02-07 11:44 GMT+01:00 Stefan Bodewig :
> On 2018-02-06, Gintautas Grigelionis wrote:
>
> > 2018-02-06 11:05 GMT+01:00 Stefan Bodewig :
>
> >> If the taskdef/typedef implementation classes are loaded via a module
> >> path and a custom task lives on the CLASSPATH will taskdef be able to
> >> l
On 2018-02-06, Gintautas Grigelionis wrote:
> 2018-02-06 11:05 GMT+01:00 Stefan Bodewig :
>> If the taskdef/typedef implementation classes are loaded via a module
>> path and a custom task lives on the CLASSPATH will taskdef be able to
>> load it at all?
> Anything on the CLASSPATH is in the unn
11 matches
Mail list logo
