Summary: | Impact of deleting ant-apache-log4j-1.10.9.jar from the server | ||
---|---|---|---|
Product: | LibreOffice | Reporter: | Ghazi Triki <ghazi.nocturne> |
Component: | LibreOffice | Assignee: | Not Assigned <libreoffice-bugs> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | sberg.fun, serval2412 |
Priority: | medium | ||
Version: | 7.2.5.2 release | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Crash report or crash signature: | Regression By: |
Description
Ghazi Triki
2022-02-10 06:12:14 UTC
Stephan: taking a look at configure.ac, I noticed "NEED_ANT" var which takes the value TRUE to build Hsqldb, Jfreereport or Rhino if they're not provided by system. I also noticed ant_minver=1.6.0 (line 13599) but even we force the use of last known version 1.10.12, there are still CVEs, see https://mvnrepository.com/artifact/org.apache.ant/ant-apache-log4j/1.10.12 Any thoughts here? (In reply to Ghazi Triki from comment #0) > LibreOffice is still using the following dependency > > https://mvnrepository.com/artifact/org.apache.ant/ant-apache-log4j/1.10.9 I wouldn't know how LibreOffice would be using that, neither at build nor at run time. Can you be more specific? (And whatever "the server" is that you would want to delete something from.) As Julien explains, LibreOffice may need an externally-provided ant, of some minimum version, at build time. Everything else is beyond what LibreOffice does or should care about. |