May I know if backdrop vulnerable to the Log4shell/Log4j (CVE-2021-44228) in any stage or version or third party plugin found vulnerable to this ? Is there any official statement from backdrop on this ? I need a firm answer on this. Thanks.
Backdrop is definitely not vulnerable because of Log4j. Log4j is a Java component; Backdrop doesn't directly use Java, it's written in PHP, HTML, and JavaScript, with a smattering of scripting languages and configurations.
Note: I don't speak officially for Backdrop, but I'm pretty confident about this.
The requirement was introduced for one fix to a `uasort` callback. I believe we can avoid that and remove the requirement. https://github.com/backdrop-contrib/better_formats/issues/13
It's unclear why this was added. The same thing was added to the D7 module, but in D7 they have two concurrent versions released earlier today, 1.0 and 2.0. Only 2.0 requires php 8. I've pinged the...
Posted17 hours 22 min ago by Alejandro Cremaschi (argiepiano) on:
Ah! Just as I'd imported 132 report pages.
TBH, today, I'd got to the stage where I don't want to spend much more time testing/configuring/etc plug-in(s) for a one time import. OK for a bigger...
Comments
Backdrop is definitely not vulnerable because of Log4j. Log4j is a Java component; Backdrop doesn't directly use Java, it's written in PHP, HTML, and JavaScript, with a smattering of scripting languages and configurations.
Note: I don't speak officially for Backdrop, but I'm pretty confident about this.
I'm glad to hear this. Thanks for your affirmation.