Hello, LibreOffice is still using the following dependency https://mvnrepository.com/artifact/org.apache.ant/ant-apache-log4j/1.10.9 that has some known vulnerability issues from its dependencies, so no direct issues. If I remove it, will LibreOffice continue to work properly? Should remove its dependencies too? Is there any way to use another logger like logback? Thanks
Stephan: taking a look at configure.ac, I noticed "NEED_ANT" var which takes the value TRUE to build Hsqldb, Jfreereport or Rhino if they're not provided by system. I also noticed ant_minver=1.6.0 (line 13599) but even we force the use of last known version 1.10.12, there are still CVEs, see https://mvnrepository.com/artifact/org.apache.ant/ant-apache-log4j/1.10.12 Any thoughts here?
(In reply to Ghazi Triki from comment #0) > LibreOffice is still using the following dependency > > https://mvnrepository.com/artifact/org.apache.ant/ant-apache-log4j/1.10.9 I wouldn't know how LibreOffice would be using that, neither at build nor at run time. Can you be more specific? (And whatever "the server" is that you would want to delete something from.) As Julien explains, LibreOffice may need an externally-provided ant, of some minimum version, at build time. Everything else is beyond what LibreOffice does or should care about.