On Tue, Dec 14, 2021 at 06:23:29PM +0100, Mickaël Guessant wrote: To: davmail-us...@lists.sourceforge.net > Le 14/12/2021 à 08:52, Ole Holm Nielsen via Davmail-users a écrit : > > Hi, > > > > We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS > > 7.9. However, it's only a few days ago that the Vulnerability in Apache > > Log4j (CVE-2021-44228-Log4j) was announced. We note that Davmail > > includes a log4j component: > > > > $ rpm -ql davmail | grep log4j > > /usr/share/davmail/lib/log4j-1.2.16.jar > > /usr/share/davmail/lib/slf4j-log4j12-1.7.25.jar > > > > Question: Is davmail vulnerable to log4j? If so, when could we expect a > > security fix? > > > > Thanks, > > Ole > > > The good news is that DavMail is *not* vulnerable to latest Log4J 2 CVE as > it depends on log4J version 1.
FWIW: That matches https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#38 > Regards, > Mickaël Guessant @Alexandre: FYI, your message didn't yet reach Davmail mailinglist subscribers. Groeten Geert Stappers -- Silence is hard to parse
