Draft:
---------------------
The Jena project has changed the logging provider for slf4j from log4j1
to log4j2.
This message is let anyone who has customized the logging output from
Fuseki that this change is coming. It is necessary because log4j1 has a
security alert (CVE-2019-17571) raised against it and the recommended
response is to move to log4j2. While the specific issue does not affect
the use made by Fuseki, the code is in the jarfile.
Fuseki will ship with log4j2 at version 3.15.0. log4j1 configuration
files are not compatible with log4j2.
Largely, this is an invisible change. API-using code has had to have its
own slf4j setup for sometime.
Where the project artifacts include a full logging setup, such a Fuseki,
there is no change needed when using the default output provided.
Customizations may be impacted.
Applications using Jena LogCtl class will notice that log4j1 is not
longer available.
log4j1 is EOL and getting no fixes so if you use it, beware you may need
to change. To do that, use this dependency:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.13.1</version>
</dependency>
in place of:
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>...</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>...</version>
</dependency>
and change the logging configuration file.
