tag 1001684 moreinfo thanks Hi,
> According to https://github.com/jagornet/dhcp/issues/20 , log4j 1.2 is > vulnerable to CVE-2019-17571, so davmail should use log4j 2.15 or 2.16 > instead. According to the debian security tracker[1], this has been fixed in log4j so davmail uses a fixed version. https://security-tracker.debian.org/tracker/source-package/apache-log4j1.2 Do you have exploit code that works against davmail or any other clue that davmail needs fixing? Thanks, Alex
