On Tue, Dec 14, 2021 at 08:52:50AM +0100, Ole Holm Nielsen via Davmail-users wrote: > Hi, > > We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS 7.9. > However, it's only a few days ago that the Vulnerability in Apache Log4j > (CVE-2021-44228-Log4j) was announced. We note that Davmail includes a log4j > component: > > $ rpm -ql davmail | grep log4j > /usr/share/davmail/lib/log4j-1.2.16.jar > /usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar > > Question: Is davmail vulnerable to log4j? If so, when could we expect a > security fix?
Qouting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#22 Debian maintainer of Davmail, Alexandre Rossi: > Also, since a while already, Java now has its own internal logging > framework (java.util.logging.Logger), so there should be less and > less reason to use potentially unsafe third-party logging libraries > (but switching to java's internal logging might be more difficult > to do in the short run than just upgrading to a newer version). I'll try to report this upstream. And I hope this helps Groeten Geert Stappers -- Silence is hard to parse
