Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

Hi The title of this thread is confusing. It appears that there is a concern with org.apache.logging.log4j. To me log4J is org.apache.log4j that has been in use by numerous Eclipse projects unchanged for over 10 years. e.g. org.eclipse.quinox.p2.ui, org.eclipse.gef,

Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

Ed, Just want to say -- these tools you write are freekin' amazing. Thanks On 2021-12-10 16:11, Ed Merks wrote: Denis, I believe that only Passage depends on this older version: The SimRel dependency analysis tool I'm currently developing will be able to give a more definitive

Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

Denis, I believe that only Passage depends on this older version: The SimRel dependency analysis tool I'm currently developing will be able to give a more definitive answer... Regards, Ed On 10.12.2021 20:49, Denis Roy wrote: So, yes, Eclipse 2021-12 is vulnerable as 2.0.0 < 2.8.2 <

Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

Eclipse Jetty has no hard dependency on log4j2. It's an optional feature that can be used via slf4j-api. On Fri, Dec 10, 2021 at 1:11 PM Denis Roy wrote: > I guess I'm trying to determine if there are any versions of Eclipse, > Jetty, jGit, etc that are vulnerable. > > > For instance, we use

Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

On Fri, Dec 10, 2021 at 8:12 PM Denis Roy wrote: > I guess I'm trying to determine if there are any versions of Eclipse, > Jetty, jGit, etc that are vulnerable. > Eclipse Platform, and its transitive deps (including some parts of Jetty), do not require nor ship log4j. EGit does include log4j

Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

So, yes, Eclipse 2021-12 is vulnerable as 2.0.0 < 2.8.2 < 2.14.1 On 2021-12-10 14:39, Ed Merks wrote: Denis, You can see the versions of log4j in the 2021-12 release here: https://www.eclipse.org/downloads/download.php?format=xml=/releases/2021-12/202112081000=us=1=xml These I think:

Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

Denis, You can see the versions of log4j in the 2021-12 release here: https://www.eclipse.org/downloads/download.php?format=xml=/releases/2021-12/202112081000=us=1=xml These I think: * org.apache.log4j 1.2.15.v201012070815

Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

I guess I'm trying to determine if there are any versions of Eclipse, Jetty, jGit, etc that are vulnerable. For instance, we use Gerrit 3.2.7, which may contain a vulnerability. Denis On 2021-12-10 14:02, Matthew Khouzam via cross-project-issues-dev wrote:

Re: [cross-project-issues-dev] log4j vulnerability in Eclipse?

https://nvd.nist.gov/vuln/detail/CVE-2021-44228 [https://nvd.nist.gov/site-media/images/NVD_NVD_Stack_Plain.svg] NVD - CVE-2021-44228 Apache Log4j2 <=2.14.1 JNDI features used in configuration, log

[cross-project-issues-dev] log4j vulnerability in Eclipse?

Hi Folks, As you may be aware, an important vulnerability has been discovered in log4j If I recall, log4j is used in Eclipse components.  Does anyone have a feel for our current state?  Is 2021-12 affected?

Re: [cross-project-issues-dev] Serious problems with the new Maven POM XML editor

Thank you! I know even a 200M download may seem trivial and free for end-users, but if it's multiplied by dozens/hundreds/thousands of users daily/multiple times/day, it's very expensive for those who pay for Internet transit (egress). Thanks for the consideration. Denis On 2021-12-10

Re: [cross-project-issues-dev] Serious problems with the new Maven POM XML editor

Link is https://github.com/eclipse-m2e/m2e-core/issues/441 Related issues: https://github.com/eclipse/lemminx-maven/issues/232 https://github.com/eclipse/lemminx-maven/issues/233 Am 10.12.21 um 15:13 schrieb Denis Roy: Please also link the bug number here so we can also follow along. Thanks

[cross-project-issues-dev] Apache Maven 3.8.4 is available on all Jenkins instances now

Hi, Maven 3.8.4 has been deployed to all Jenkins instances. Note that apache-maven-latest has been set to 3.8.3 now and will stay for a while (at least 4 weeks) to give projects some time to check if there are any regressions. Release notes for Maven 3.8.4 can be found here:

Re: [cross-project-issues-dev] Serious problems with the new Maven POM XML editor

Please also link the bug number here so we can also follow along. Thanks Denis On 2021-12-10 04:38, Andrey Loskutov wrote: Hi Lorenzo, Sounds really scary. Please create a bug for m2e, we should continue investigation on that bug ASAP. Kind regards, Andrey Loskutov Спасение утопающих -

Re: [cross-project-issues-dev] Serious problems with the new Maven POM XML editor

On 10/12/21 10:38, Andrey Loskutov wrote: Hi Lorenzo, Sounds really scary. Please create a bug for m2e, we should continue investigation on that bug ASAP. Done https://github.com/eclipse-m2e/m2e-core/issues/441 If this bug is confirmed it's not scary... it's a disaster... cheers Lorenzo

Re: [cross-project-issues-dev] Serious problems with the new Maven POM XML editor

Hi Lorenzo, Sounds really scary. Please create a bug for m2e, we should continue investigation on that bug ASAP. Kind regards, Andrey Loskutov Спасение утопающих - дело рук самих утопающих https://www.eclipse.org/user/aloskutov ___

[cross-project-issues-dev] Serious problems with the new Maven POM XML editor

Hi I tried, in a brand new environment, the new 2021-12 Java distribution, eager to try the new Maven POM XML, after looking at the nice video of Holger Voormann (https://www.youtube.com/watch?v=3W9bvidcO20) I simply created a new Maven project with the archetype and tried to use content