Hello, I'm working on LOG4PHP, but I wanted to comment on the part about the ancient JDK. It's a situation I've had to deal with in the past (for things like Dell Remote Access).
If there ultimately is a decision to patch the old software, there might be a logic in putting together a docker instance (or even a chroot package). I've found that it can be a lot easier than keeping a VM around. Oracle does have the old JDK 1.2 archive still up on their site, and there's a docker base image for Centos 4, which was released back in 2005. If the decision was made to release an update, I could likely put together an image for whoever wanted to release the update. Kate -----Original Message----- From: Ralph Goers <[email protected]> Sent: December 15, 2019 3:08 PM To: [email protected] Cc: [email protected] Subject: Re: Is there any chance that there will be a security fix for log4j-v1.2.17? While Gary is correct that we wouldn’t want to discuss a specific security vulnerability in public we can discuss the policy here. For a number of reasons I would say the answer is “No”: It gives the impress that Log4j 1.x is not End-of-Life and that future enhancements and bug fixes could be accepted. We provide alternatives so that Log4j 1.x itself is not necessary. If features are missing in Log4j 2’s log4j 1.x binding then we would consider fixing those. None of the current committers has probably built Log4j 1 in the last 5 years, much less attempted to perform a release. Log4j 1.x supported an ancient version of the JDK (1.2?). I am not even sure if that is possible any more. The oldest version I have installed is 1.7. I would have no idea how to validate that it was still compatible. Ralph > On Dec 15, 2019, at 7:25 AM, Gary Gregory <[email protected]> wrote: > > Security issues should not be discussed in public for obvious reasons. > Please see https://www.apache.org/security/ > > Gary > > > On Sun, Dec 15, 2019 at 7:01 AM Andrew Marlow > <[email protected]> > wrote: > >> Hello everyone, >> >> I know that log4j-v1 was announced as end of life back in 2015 and >> that all effort is on log4j2. However, I would very much like to see >> a new version, presumably it would be called 1.2.18, which addresses >> a security vulnerability. Is this right place to discuss this please? >> >> -- >> Regards, >> >> Andrew Marlow >> http://www.andrewpetermarlow.co.uk >>
