[ https://issues.apache.org/jira/browse/SPARK-6305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17466876#comment-17466876 ]
Steve Loughran commented on SPARK-6305: --------------------------------------- If anyone wants a version of a log4j 1.17 without the known (and never used) CVE, you could grab the Cloudera patched JAR. ASF projects are not allowed to release their own builds of other projects, so I'm afraid you were not allowed her to include this in Apache releases. https://mvnrepository.com/artifact/log4j/log4j/1.2.17-cloudera1 You don't need to move to log4j 2, and if you are, now is a good time to look at alternatives e.g. logback. I suspect this is what Hadoop will pick up in the new year, > Add support for log4j 2.x to Spark > ---------------------------------- > > Key: SPARK-6305 > URL: https://issues.apache.org/jira/browse/SPARK-6305 > Project: Spark > Issue Type: Improvement > Components: Build > Reporter: Tal Sliwowicz > Assignee: L. C. Hsieh > Priority: Minor > Fix For: 3.3.0 > > > log4j 2 requires replacing the slf4j binding and adding the log4j jars in the > classpath. Since there are shaded jars, it must be done during the build. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org