Bug #18424: Is Ruby is vulnerable to log4j? - Ruby - Ruby Issue Tracking System

Custom queries

Backport 3.2
Backport 3.3
Backport 3.4
bugs: unassigned
DevMeeting
matz
Open issues with attachment
Windows

Actions

Copy link

Bug #18424

closed

Is Ruby is vulnerable to log4j?

Bug #18424: Is Ruby is vulnerable to log4j?

Added by salamani (Ravi Salamani) almost 4 years ago. Updated almost 4 years ago.

Status:

Rejected

Assignee:

Target version:

ruby -v:

master

Backport:

2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN

[ruby-core:106775]

Description

I observed that the ruby uses zookeeper, dep "slyphon-log4j", "= 1.2.15".
Is Ruby is vulnerable to log4j?

History
Notes
Property changes

Updated by mame (Yusuke Endoh) almost 4 years ago Actions
Copy link
#1 [ruby-core:106776]

Status changed from Open to Rejected

The Ruby package itself does not depend on log4j. For an application or library written in Ruby, please ask to its maintainer.

Updated by salamani (Ravi Salamani) almost 4 years ago Actions
Copy link
#2 [ruby-core:106777]

mame (Yusuke Endoh) wrote in #note-1:

The Ruby package itself does not depend on log4j. For an application or library written in Ruby, please ask to its maintainer.

https://github.com/ruby/ruby/blob/master/spec/bundler/resolver/platform_spec.rb#L31 Does it installs log4j?

Updated by austin (Austin Ziegler) almost 4 years ago Actions
Copy link
#3 [ruby-core:106778]

salamani (Ravi Salamani) wrote in #note-2:

mame (Yusuke Endoh) wrote in #note-1:

The Ruby package itself does not depend on log4j. For an application or library written in Ruby, please ask to its maintainer.

https://github.com/ruby/ruby/blob/master/spec/bundler/resolver/platform_spec.rb#L31 Does it installs log4j?

This is a Ruby spec that verifies bundler. This particular path would only be run by JRuby and possibly TruffleRuby, as CRuby is not written with Java.

Updated by deivid (David Rodríguez) almost 4 years ago Actions
Copy link
#4 [ruby-core:106791]

Yes, that's correct. The naming in these test cases is inspired by realworld packages, but these are just dummy packages just for the sake of testing, not the real library code. You can replace log4j with very-secure-library in those tests and they should still pass.

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Ruby

Tags

Custom queries

Bug #18424

Is Ruby is vulnerable to log4j?

Updated by mame (Yusuke Endoh) almost 4 years ago Actions
Copy link
#1 [ruby-core:106776]

Updated by salamani (Ravi Salamani) almost 4 years ago Actions
Copy link
#2 [ruby-core:106777]

Updated by austin (Austin Ziegler) almost 4 years ago Actions
Copy link
#3 [ruby-core:106778]

Updated by deivid (David Rodríguez) almost 4 years ago Actions
Copy link
#4 [ruby-core:106791]

Project

General

Profile

Ruby

Tags

Custom queries

Bug #18424

Is Ruby is vulnerable to log4j?

Updated by mame (Yusuke Endoh) almost 4 years ago ActionsCopy link #1 [ruby-core:106776]

Updated by salamani (Ravi Salamani) almost 4 years ago ActionsCopy link #2 [ruby-core:106777]

Updated by austin (Austin Ziegler) almost 4 years ago ActionsCopy link #3 [ruby-core:106778]

Updated by deivid (David Rodríguez) almost 4 years ago ActionsCopy link #4 [ruby-core:106791]

Updated by mame (Yusuke Endoh) almost 4 years ago Actions
Copy link
#1 [ruby-core:106776]

Updated by salamani (Ravi Salamani) almost 4 years ago Actions
Copy link
#2 [ruby-core:106777]

Updated by austin (Austin Ziegler) almost 4 years ago Actions
Copy link
#3 [ruby-core:106778]

Updated by deivid (David Rodríguez) almost 4 years ago Actions
Copy link
#4 [ruby-core:106791]