[
https://issues.apache.org/jira/browse/LUCENE-10303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459132#comment-17459132
]
Dawid Weiss commented on LUCENE-10303:
--------------------------------------
I don't know how difficult it would be, Tomoko. I don't think it'd be very
hard. The problem with a single log4j sink in the home folder is that it's one
file - if you run two Luke instances (for example, to compare indexes) one
overwrites another. I'd rather have the persistent log dumped to the console.
To me, it'd be more convenient than trying to look up where that log actually
is.
> Upgrade log4j to 2.16.0
> -----------------------
>
> Key: LUCENE-10303
> URL: https://issues.apache.org/jira/browse/LUCENE-10303
> Project: Lucene - Core
> Issue Type: Task
> Reporter: Tomoko Uchida
> Assignee: Tomoko Uchida
> Priority: Minor
> Fix For: 9.1, 10.0 (main)
>
> Attachments: LUCENE-10303.patch
>
>
> CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker
> controlled LDAP and other JNDI related endpoints.
> Versions Affected: all versions from 2.0-beta9 to 2.14.1
> [https://logging.apache.org/log4j/2.x/security.html]
>
> Only luke module uses log4j 2.13.2 (I grepped the entire codebase); meanwhile
> the versions.props is shared by all subprojects, it may be better to upgrade
> to 2.15.0 I think.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
