I don’t understand. Again ActiveMQ 5.16 is NOT impacted by log4shell.
So why upgrading for that ? And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on that date. I would rather explain to your customer that ActiveMQ still use log4j 1 and so no need to update. We already explained this several time on the mailing list. If you want I can talk to you and your customer to explain and provide details. Regards JB > Le 3 janv. 2022 à 18:35, Laurent Blanquet <lblanq...@b2btechno.net> a écrit : > > In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why they > want to migrate. > > Good news: we've obtained a deadline to 31/01/2022. > > Are you confident guys that we'll have the 5.17 release for this date or do > we have to develop some kind of patch ? > > Regards, > > Laurent > -----Message d'origine----- > De : Jean-Baptiste Onofré <j...@nanthrax.net> > Envoyé : lundi 3 janvier 2022 18:00 > À : dev@activemq.apache.org > Objet : Re: ActiveMQ 5.17 and log4j2 > > Log4j2 is only impacted, not log4j 1.x. > > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell > vulnerability. > > Regards > JB > >> On 03/01/2022 17:30, Xeno Amess wrote: >> Just show the log4j2 cve list to that customer, and persuade him no hurry to >> migrate. >> >> XenoAmess >> ________________________________ >> From: JB Onofré <j...@nanthrax.net> >> Sent: Monday, January 3, 2022 11:31:30 PM >> To: dev@activemq.apache.org <dev@activemq.apache.org> >> Subject: Re: ActiveMQ 5.17 and log4j2 >> >> About 5.16 no way: it’s log4j 1.x >> >> And log4j 1.x is not impacted by log4shell vulnerability so no need to >> update. >> >> Regards >> JB >> >>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lblanq...@b2btechno.net> a >>>> écrit : >>> >>> Hi Guys, >>> >>> It seems that the latest version available is still using log4j 1.2.17. >>> >>> Unfortunately we have a customer who has a strong requisite to migrate to >>> log4j2 before 10 of January ! >>> >>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j >>> 2.17 ? >>> >>> Regards, >>> >>> Laurent >>
