On Mon, Dec 13, 2021 at 1:35 AM Bo Berglund <bo.bergl...@gmail.com> wrote:
> On Sun, 12 Dec 2021 15:30:20 +0300, Pavel Lyalyakin > <pavel.lyalya...@visualsvn.com> wrote: > > >Apache Subversion and Apache HTTP Server are not Java applications. > >Subversion does not depend on log4j. AFAIK, Apache HTTP Server does not > >depend on log4j either. > > Sounds good. > > We are using VisualSVN on our main SVN server running on Windows Server > 2016: > > H:\>svnadmin --version > svnadmin, version 1.9.7 (r1800392) > compiled Nov 21 2017, 12:52:53 on x86_64-microsoft-windows6.1.7601 > > It has no exposure to the Internet, just sits on the LAN. > > > We have a backup server off-site running on Ubuntu Server 20.04.3: > > $ svnadmin --version > svnadmin, version 1.13.0 (r1867053) > compiled Mar 24 2020, 12:33:36 on x86_64-pc-linux-gnu > > The latter is svnsync'ed from VisualSVN every night and is fully updated. > It has no public interface, set to readonly except for the svnsync calls. > > Do we need to do anything for the "log4j" vulnerability? > > > -- > Bo Berglund > Developer in Sweden > > The vulnerability CVE-2021-44228 in the Java-based library Log4j affects Java-based products that depend on the Log4j library. As I said above, Apache Subversion is not a Java application and it does not use Log4j. VisualSVN Server is also not a Java application and it does not use Log4j. -- With best regards, Pavel Lyalyakin VisualSVN Team
