On Sun, 12 Dec 2021 15:30:20 +0300, Pavel Lyalyakin <pavel.lyalya...@visualsvn.com> wrote:
>Apache Subversion and Apache HTTP Server are not Java applications. >Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not >depend on log4j either. Sounds good. We are using VisualSVN on our main SVN server running on Windows Server 2016: H:\>svnadmin --version svnadmin, version 1.9.7 (r1800392) compiled Nov 21 2017, 12:52:53 on x86_64-microsoft-windows6.1.7601 It has no exposure to the Internet, just sits on the LAN. We have a backup server off-site running on Ubuntu Server 20.04.3: $ svnadmin --version svnadmin, version 1.13.0 (r1867053) compiled Mar 24 2020, 12:33:36 on x86_64-pc-linux-gnu The latter is svnsync'ed from VisualSVN every night and is fully updated. It has no public interface, set to readonly except for the svnsync calls. Do we need to do anything for the "log4j" vulnerability? -- Bo Berglund Developer in Sweden
