I will suppress the warning for 3.6. I would like to stop delivering that jar for 3.7.0. If we are on slf4j we can use another implementation.
We have to document well the change and how to manually rollback to legacy Logger in case of trouble. Maybe a suggestion about how to convert the config is desirable but not strictly needed. Maybe most users are using the default configuration Enrico Enrico Il Lun 4 Mag 2020, 10:35 Szalay-Bekő Máté <szalay.beko.m...@gmail.com> ha scritto: > Hello All, > > in relation to the 3.5.8 release I was taking a look to > https://issues.apache.org/jira/browse/ZOOKEEPER-3817 > > It is about a new CVE (https://nvd.nist.gov/vuln/detail/CVE-2020-9488) > what > describes a weakness for log4j SmtpAppender. If I am right, this can affect > any log4j user who configures SmtpAppender for ZooKeeper. Unfortunately the > log4j 1.2 we use is EOL and this fix can be done only by upgrading to log4j > 2. > > I am not sure how are we doing with log4j 2. I found this ticket ( > https://issues.apache.org/jira/browse/ZOOKEEPER-2342) which is open for > some time. But there are some promising recent comments there about "log4j > bridge" that should make this transition easier: > http://logging.apache.org/log4j/2.x/manual/migration.html > > Questions for anyone (but mostly for the PMCs): What do you think? Can we > suppress this CVE (saying that SmtpAppender is unlikely to be used with > ZooKeeper)? If you think we can't suppress but need to focus on log4j > upgrade, then will this postpone the 3.5.8 release? > > Kind regards, > Mate >
