<rsbecker@xxxxxxxxxxxxx> writes: >> +No part of Git is written in Java, hence it is not susceptible to the >> +log4j vulnerability that has been causing sensation recently. >> + > ... > This is a good idea. I have had to reassure a whole bunch of people in my > community about this, not really because of git itself but because of the > Maven build associated with EGit/JGit that may (do) have this issue if the > wrong version of log4j is available. I would rather not discuss the > particulars of the attack vector in this mailing list. As you can point those people at the message that started this thread at the lore archive, I actually think that I already have done enough to achieve our goal ;-)
