[
https://issues.apache.org/jira/browse/LIVY-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652914#comment-17652914
]
Larry McCay commented on LIVY-878:
----------------------------------
[~ksumit] - okay, I see now. You were describing us ignoring it and then
downstream consumers swapping out the log4j for reload4j jars?
I'd personally think that we shouldn't put out a new release that contains
these vulnerabilities as the first one of the revived community. The most
conservative route, IMO, would be to be on par with downstream projects now
which seem to be on reload4j. Deployments with these changes are presumably in
use and being tested already.
That said, if the difference between moving to reload4j and the official API
bridge is trivial perhaps we go that far.
We could also target reload4j as the most conservative for 0.8.0 and follow up
with an 0.8.1 that moves to the bridge.
{quote}I am now thinking that eliminating log4j1.x dependency is more
appropriate and will be helpful for production environments that use Spark on
kubernetes or mesos.
{quote}
Does this refer to moving to the API bridge or all the way to log4j v2?
> Log4j upgrade for Livy 0.7.0 version
> -------------------------------------
>
> Key: LIVY-878
> URL: https://issues.apache.org/jira/browse/LIVY-878
> Project: Livy
> Issue Type: Sub-task
> Reporter: Tinu Jose
> Assignee: Damon Cortesi
> Priority: Major
> Fix For: 0.8.0
>
>
> We are looking for an advise from you in context of the below mentioned issue:
>
> *A high severity vulnerability (CVE-2021-44228) impacting multiple versions
> of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub
> on December 9, 2021.*
> *The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.*
>
> Apache Livy version 0.7.0 version is being used by our team for processing
> the spark jobs . It uses the Log4j 1.x.x. which is not having any continued
> support.
> We would like to upgrade the Log4j versions to the latest stable version
> 2.15 without having any impact on the installations .
>
> Could you please recommend the possible ways to do the upgrade .Please note ,
> we are not looking to upgrade the Livy version to 0.7.1 to resolve this issue
> .
> Our requirement is to retain the current installed version and configurations
> with only changes in the Log4j versions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
