diff options
| author | Florian Zschocke <f.zschocke+git@gmail.com> | 2023-10-31 19:07:35 +0100 |
|---|---|---|
| committer | Florian Zschocke <f.zschocke+git@gmail.com> | 2023-10-31 19:07:35 +0100 |
| commit | d2a3322b280c408184cfe8618375b47cef09657a (patch) | |
| tree | 4e1df96befe3845068d18b7c34b3e05e3d0c0b1c | |
| parent | f124dfca7f8ec97b1f28cb5d258d8ee5d1da9b30 (diff) | |
| download | gitblit-d2a3322b280c408184cfe8618375b47cef09657a.tar.gz gitblit-d2a3322b280c408184cfe8618375b47cef09657a.zip | |
dep: Update slf4j to 1.7.36 and switch from log4j1 to reload4j
Replace log4j 1.2.17 with reload4j 1.2.25.
log4j 1.x was caught in the fire of the Log4Shell vulnerability, even
though the 1.x line was not affected by the vulnerability. Still, this
looks bad when it shows up in security scanners even though it doesn't
mean it has the Log4Shell vulnerability.
Switch to reload4j instead. This is a drop-in replacement of log4j.
Actually, it is log4j rebooted by the same author. The reload4j 1.x
line fixes security issues that have since surfaced.
At the same time we update to the latest slf4j version, which also
switched to reload4j for the log4j12 line.
| -rw-r--r-- | .classpath | 6 | ||||
| -rw-r--r-- | build.moxie | 6 | ||||
| -rw-r--r-- | gitblit.iml | 18 |
3 files changed, 15 insertions, 15 deletions
@@ -18,9 +18,9 @@ <classpathentry kind="lib" path="ext/j2objc-annotations-2.8.jar" sourcepath="ext/src/j2objc-annotations-2.8.jar" /> <classpathentry kind="lib" path="ext/guice-servlet-5.1.0-gb2.jar" sourcepath="ext/src/guice-servlet-5.1.0-gb2.jar" /> <classpathentry kind="lib" path="ext/annotations-12.0.jar" sourcepath="ext/src/annotations-12.0.jar" /> - <classpathentry kind="lib" path="ext/log4j-1.2.17.jar" sourcepath="ext/src/log4j-1.2.17.jar" /> - <classpathentry kind="lib" path="ext/slf4j-api-1.7.29.jar" sourcepath="ext/src/slf4j-api-1.7.29.jar" /> - <classpathentry kind="lib" path="ext/slf4j-log4j12-1.7.29.jar" sourcepath="ext/src/slf4j-log4j12-1.7.29.jar" /> + <classpathentry kind="lib" path="ext/reload4j-1.2.25.jar" sourcepath="ext/src/reload4j-1.2.25.jar" /> + <classpathentry kind="lib" path="ext/slf4j-api-1.7.36.jar" sourcepath="ext/src/slf4j-api-1.7.36.jar" /> + <classpathentry kind="lib" path="ext/slf4j-reload4j-1.7.36.jar" sourcepath="ext/src/slf4j-reload4j-1.7.36.jar" /> <classpathentry kind="lib" path="ext/javax.mail-1.5.6.jar" sourcepath="ext/src/javax.mail-1.5.6.jar" /> <classpathentry kind="lib" path="ext/activation-1.1.jar" sourcepath="ext/src/activation-1.1.jar" /> <classpathentry kind="lib" path="ext/javax.servlet-api-3.1.0.jar" sourcepath="ext/src/javax.servlet-api-3.1.0.jar" /> diff --git a/build.moxie b/build.moxie index e410855b..efbf7d5e 100644 --- a/build.moxie +++ b/build.moxie @@ -106,7 +106,7 @@ repositories: central, eclipse-snapshots, eclipse, gitblit # Convenience properties for dependencies properties: { jetty.version : 9.4.49.v20220914 - slf4j.version : 1.7.29 + slf4j.version : 1.7.36 wicket.version : 1.4.22 lucene.version : 5.5.2 jgit.version : 4.11.9.201909030838-r @@ -137,9 +137,9 @@ dependencies: - compile 'com.google.inject.extensions:guice-servlet:${guice-servlet.version}' :war - compile 'com.google.guava:guava:32.1.3-jre' :war :fedclient - compile 'com.intellij:annotations:12.0' :war -- compile 'log4j:log4j:1.2.17' :war :fedclient :manager +- compile 'ch.qos.reload4j:reload4j:1.2.25' :war :fedclient :manager - compile 'org.slf4j:slf4j-api:${slf4j.version}' :war :fedclient :manager -- compile 'org.slf4j:slf4j-log4j12:${slf4j.version}' :war :fedclient :manager +- compile 'org.slf4j:slf4j-reload4j:${slf4j.version}' :war :fedclient :manager - compile 'com.sun.mail:javax.mail:1.5.6' :war - compile 'javax.servlet:javax.servlet-api:3.1.0' :fedclient - compile 'org.eclipse.jetty:jetty-servlet:${jetty.version}' @jar diff --git a/gitblit.iml b/gitblit.iml index 85756ae8..20b42cee 100644 --- a/gitblit.iml +++ b/gitblit.iml @@ -145,35 +145,35 @@ </library> </orderEntry> <orderEntry type="module-library"> - <library name="log4j-1.2.17.jar"> + <library name="reload4j-1.2.25.jar"> <CLASSES> - <root url="jar://$MODULE_DIR$/ext/log4j-1.2.17.jar!/" /> + <root url="jar://$MODULE_DIR$/ext/reload4j-1.2.25.jar!/" /> </CLASSES> <JAVADOC /> <SOURCES> - <root url="jar://$MODULE_DIR$/ext/src/log4j-1.2.17.jar!/" /> + <root url="jar://$MODULE_DIR$/ext/src/reload4j-1.2.25.jar!/" /> </SOURCES> </library> </orderEntry> <orderEntry type="module-library"> - <library name="slf4j-api-1.7.29.jar"> + <library name="slf4j-api-1.7.36.jar"> <CLASSES> - <root url="jar://$MODULE_DIR$/ext/slf4j-api-1.7.29.jar!/" /> + <root url="jar://$MODULE_DIR$/ext/slf4j-api-1.7.36.jar!/" /> </CLASSES> <JAVADOC /> <SOURCES> - <root url="jar://$MODULE_DIR$/ext/src/slf4j-api-1.7.29.jar!/" /> + <root url="jar://$MODULE_DIR$/ext/src/slf4j-api-1.7.36.jar!/" /> </SOURCES> </library> </orderEntry> <orderEntry type="module-library"> - <library name="slf4j-log4j12-1.7.29.jar"> + <library name="slf4j-reload4j-1.7.36.jar"> <CLASSES> - <root url="jar://$MODULE_DIR$/ext/slf4j-log4j12-1.7.29.jar!/" /> + <root url="jar://$MODULE_DIR$/ext/slf4j-reload4j-1.7.36.jar!/" /> </CLASSES> <JAVADOC /> <SOURCES> - <root url="jar://$MODULE_DIR$/ext/src/slf4j-log4j12-1.7.29.jar!/" /> + <root url="jar://$MODULE_DIR$/ext/src/slf4j-reload4j-1.7.36.jar!/" /> </SOURCES> </library> </orderEntry> |