That does not seem germane to this discussion. We don’t investigate and attempt to manage the security reporting arrangement of any of our other third party dependencies.
> On Jan 21, 2022, at 7:59 AM, Sean Busbey <bus...@apache.org> wrote: > > Has anyone asked the ASF Logging PMC if they'll forward security reports > against log4j 1 to the reload4j project? > >> On Fri, Jan 21, 2022 at 3:33 AM Pankaj Kumar <pankajku...@apache.org> wrote: >> >> +1 for reload4j. >> >> Regards, >> Pankaj >> >>> On Fri, Jan 21, 2022, 2:39 PM 张铎(Duo Zhang) <palomino...@gmail.com> wrote: >>> >>> Already filed HBASE-26691. >>> >>> Wei-Chiu Chuang <weic...@apache.org> 于2022年1月21日周五 16:53写道: >>> >>>> +1 I am doing the same in Hadoop. >>>> >>>> On Fri, Jan 21, 2022 at 4:51 PM Viraj Jasani <vjas...@apache.org> >> wrote: >>>> >>>>> +1 for Reload4J migration in active release branches. >>>>> >>>>> >>>>> On Fri, 21 Jan 2022 at 12:52 PM, Andrew Purtell < >>>> andrew.purt...@gmail.com> >>>>> wrote: >>>>> >>>>>> +1 for migrating to Reload4J. It is binary and configuration >>> compatible >>>>>> with log4j 1 so meets our compatibility guidelines. >>>>>> >>>>>> If this is an agreeable plan I can make the changes in a PR and we >>> can >>>> do >>>>>> a round of new releases. >>>>>> >>>>>>> On Jan 20, 2022, at 10:16 PM, Duo Zhang <zhang...@apache.org> >>> wrote: >>>>>>> >>>>>>> On master we have already migrated to log4j2, but for all other >>>>> release >>>>>>> lines we are still on log4j1. >>>>>>> >>>>>>> Recently there are several new CVEs for log4j1, so I think we >>> should >>>>> also >>>>>>> address them for release lines other than master. >>>>>>> >>>>>>> One possible solution is to also migrate log4j2 but use log4j12 >>>> bridge >>>>> to >>>>>>> maintain the compatibility, but we have already known that >> log4j12 >>>>> bridge >>>>>>> can not work perfectly with hadoop, as hadoop has some customized >>>>> log4j1 >>>>>>> appender implementations, which inherit some log4j1 appenders >> which >>>> are >>>>>> not >>>>>>> part of the log4j12 bridge. >>>>>>> >>>>>>> Reload4j is a fork of the log4j1 and has fixed the critical CVEs, >>> so >>>> it >>>>>> is >>>>>>> less hurt to replace log4j with reload4j. >>>>>>> >>>>>>> Suggestions are welcomed. >>>>>>> >>>>>>> Thanks. Regards >>>>>> >>>>> >>>> >>> >>
