What layout do we have available that does not require an external dependency?
On Tue, May 2, 2017 at 8:38 PM, Mikael Ståldal <[email protected]> wrote: > Given the inherent security problems with Java object serialization > (highlighted by CVE-2017-5645), I do suggest that we deprecate > SerializedLayout and remove it as default for SocketAppender, and all other > appenders which currently have it as default. (We can still keep > SerializedLayout, with a warning about security issues in documentation, > but users will have to enable it explicitly.) > > Some people have missed the fact that you can configure SocketAppender with > another layout. > > I suggest we do this in the 2.9 release. > > I know this will break some existing configurations, but given the security > problems, I think that is a price we have to pay in this case. > > We have a JIRA ticket for a new Avro based binary layout: > https://issues.apache.org/jira/browse/LOG4J2-1871 > > If we implement that in time for 2.9, we can recommend it as a replacement > for SerializedLayout. If not, we could recommend JsonLayout which should > contain all necessary information. > > -- > [image: MagineTV] > > *Mikael Ståldal* > Senior software developer > > *Magine TV* > [email protected] > Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > > Privileged and/or Confidential Information may be contained in this > message. If you are not the addressee indicated in this message > (or responsible for delivery of the message to such a person), you may not > copy or deliver this message to anyone. In such case, > you should destroy this message and kindly notify the sender by reply > email. >
