[ https://issues.apache.org/jira/browse/LUCENE-10303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459120#comment-17459120 ]
Tomoko Uchida commented on LUCENE-10303: ---------------------------------------- Luke uses log4j mainly because I have been accustomed to it, and have never used java logging. The logger has two appenders - one for a file handler and another for a text area component named "Logs" tab. If this configuration can be seamlessly ported to java logging (I could write a custom log handler) there would not be any problems with switching the logging framework. Or we probably should remove the fancy TextArea appender - though if possible, I'd like to keep this for the convenience of daily use. > Upgrade log4j to 2.16.0 > ----------------------- > > Key: LUCENE-10303 > URL: https://issues.apache.org/jira/browse/LUCENE-10303 > Project: Lucene - Core > Issue Type: Task > Reporter: Tomoko Uchida > Assignee: Tomoko Uchida > Priority: Minor > Fix For: 9.1, 10.0 (main) > > Attachments: LUCENE-10303.patch > > > CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker > controlled LDAP and other JNDI related endpoints. > Versions Affected: all versions from 2.0-beta9 to 2.14.1 > [https://logging.apache.org/log4j/2.x/security.html] > > Only luke module uses log4j 2.13.2 (I grepped the entire codebase); meanwhile > the versions.props is shared by all subprojects, it may be better to upgrade > to 2.15.0 I think. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org