search

gitblit-org / gitblit

pure java git solution
http://gitblit.com
Apache License 2.0
2.28k stars 670 forks source link

log4j 1.2.17 has known vulnerabilities and reached EOL #1444

Closed thomass4t closed 11 months ago

thomass4t commented 1 year ago

The current version 1.9.3 of gitblit uses log4j 1.2.17 This version seems to be affected by different vulnerabilities: https://mvnrepository.com/artifact/log4j/log4j/1.2.17

The discussion at https://github.com/gitblit-org/gitblit/discussions/1403 was related to CVE-2021-44228 but there seems to be never vulnerabilities in the meantime.

Furthermore, log4j 1.2 has reached EOL in 2015 and shouldn't be used any more because further issues won't be fixed in this version.

In order to stay within the lifecycle and to mitigate the mentioned CVEs, I would strongly recommend to upgrade log4j to a current and supported version.

Maybe I could also send a PR, if this helps.

fbacchella commented 1 year ago

A quick and dirty solution is to use https://reload4j.qos.ch/.

fbacchella commented 11 months ago

That should be fixed now.

flaix commented 11 months ago

Gitblit moved to reload4j in #1461, closing this issue.