[
https://issues.apache.org/jira/browse/SPARK-6305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17042761#comment-17042761
]
Ralph Goers commented on SPARK-6305:
------------------------------------
[[email protected]] Regarding your comment on Sept 17, 2019 -
[CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] was created
recently against Log4j 1. It is essentially the same as the CVE you noted above
against Log4j 2. It was created specifically because people were confused in
thinking that CVE-2017-5645 did not apply to Log4j 1. CVE-2019-17571 has been
mitigated in third party distributions of Log4j but will never be fixedin an
ASF distribution, so any use of Log4j 1 will now permanently show up in
security scans, although some projects (ZOOKEEPER-3677) are choosing to
suppress the security failure.
Also note that Log4j 2 now offers [experimental
support|http://logging.apache.org/log4j/2.x/manual/compatibility.html] for
Log4j 1 configuration files.
> Add support for log4j 2.x to Spark
> ----------------------------------
>
> Key: SPARK-6305
> URL: https://issues.apache.org/jira/browse/SPARK-6305
> Project: Spark
> Issue Type: Improvement
> Components: Build
> Reporter: Tal Sliwowicz
> Priority: Minor
>
> log4j 2 requires replacing the slf4j binding and adding the log4j jars in the
> classpath. Since there are shaded jars, it must be done during the build.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
