Lucene core is a no-dependencies library. Some of the other Lucene modules, and the build and tests, have dependencies, but none of them includes log4j. So sorry, but we won't be making Lucene use log4j 2.17.2; probably you should get your compliance standards changed to include *forbidden* versions rather than *required* versions :)
On Thu, Jun 23, 2022 at 9:57 AM Kurz, Fred <fred.k...@cra-arc.gc.ca.invalid> wrote: > > Categorization: Unclassified > Hi: > > What version of log4j is included in Lucene version 8.11.2? The release > notes for Solr 8.11.2 explicitly states log4j version is upgraded to 2.17.2 > to address security vulnerabilities, but there is no such note for Lucene. I > assume the same is true for Lucene 8.11.2 since Solr is a subproject, but I > need it confirmed. > > I am trying to get Lucene 8.11.2 certified for use in my organization but > certification is contingent on Lucene using log4j 2.17.2. A prompt reply > would be greatly appreciated. > > Thanks, > Fred Kurz > --------------------------------------------------------------------- To unsubscribe, e-mail: java-user-unsubscr...@lucene.apache.org For additional commands, e-mail: java-user-h...@lucene.apache.org
