From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <moss@cs.umass.edu>
Received: from mailsrv.cs.umass.edu (mailsrv.cs.umass.edu [128.119.240.136])
 by sourceware.org (Postfix) with ESMTPS id 5FE603858418
 for <cygwin@cygwin.com>; Thu, 23 Dec 2021 15:47:38 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 5FE603858418
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=cs.umass.edu
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=cs.umass.edu
Received: from [192.168.50.148] (c-24-62-201-179.hsd1.ma.comcast.net
 [24.62.201.179])
 by mailsrv.cs.umass.edu (Postfix) with ESMTPSA id ADA94401DCA9;
 Thu, 23 Dec 2021 10:47:37 -0500 (EST)
Reply-To: moss@cs.umass.edu
Subject: Re: Inquiry on Apache Log4j's Effect on Cygwin Software
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
References: <MW5PR16MB4715B5B954FCFE75D451F6E7D77E9@MW5PR16MB4715.namprd16.prod.outlook.com>
 <CANV9t=Ra1_dHnGA1z=ae68p2k8nBGCcz6nCq724ii+eN_QmdEw@mail.gmail.com>
From: Eliot Moss <moss@cs.umass.edu>
Message-ID: <c0fb2faa-ac8a-80e0-c51b-154a1f498d4d@cs.umass.edu>
Date: Thu, 23 Dec 2021 10:47:37 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101
 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <CANV9t=Ra1_dHnGA1z=ae68p2k8nBGCcz6nCq724ii+eN_QmdEw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
 NICE_REPLY_A, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
X-List-Received-Date: Thu, 23 Dec 2021 15:47:39 -0000

On 12/23/2021 10:43 AM, Bill Stewart wrote:
> On Thu, Dec 23, 2021 at 8:19 AM Iyana Garry wrote:
> 
> Is there any confirmation that Cygwin software is not impacted by the
>> Apache Log4J vulnerabilities (CVE-2021-44228, CVE-2021-45046 and
>> CVE-2021-45105)?
>>
> 
> I'm not sure why there would need to be any such confirmation. Log4J is a
> Java application logging framework.

To clarify further, Java on the Windows platform is Windows native.
While it is possible to invoke Java from Cygwin bash, it is the
native Java one would invoke.  I am not aware of any Cygwin programs
that require and invoke Java.

Best wishes - Eliot Moss