While Gary is correct that we wouldn’t want to discuss a specific security vulnerability in public we can discuss the policy here.
For a number of reasons I would say the answer is “No”: It gives the impress that Log4j 1.x is not End-of-Life and that future enhancements and bug fixes could be accepted. We provide alternatives so that Log4j 1.x itself is not necessary. If features are missing in Log4j 2’s log4j 1.x binding then we would consider fixing those. None of the current committers has probably built Log4j 1 in the last 5 years, much less attempted to perform a release. Log4j 1.x supported an ancient version of the JDK (1.2?). I am not even sure if that is possible any more. The oldest version I have installed is 1.7. I would have no idea how to validate that it was still compatible. Ralph > On Dec 15, 2019, at 7:25 AM, Gary Gregory <[email protected]> wrote: > > Security issues should not be discussed in public for obvious reasons. > Please see https://www.apache.org/security/ > > Gary > > > On Sun, Dec 15, 2019 at 7:01 AM Andrew Marlow <[email protected]> > wrote: > >> Hello everyone, >> >> I know that log4j-v1 was announced as end of life back in 2015 and that all >> effort is on log4j2. However, I would very much like to see a new version, >> presumably it would be called 1.2.18, which addresses a security >> vulnerability. Is this right place to discuss this please? >> >> -- >> Regards, >> >> Andrew Marlow >> http://www.andrewpetermarlow.co.uk >>
