[ https://issues.apache.org/jira/browse/LOG4J2-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17184696#comment-17184696 ]
Ralph Goers commented on LOG4J2-2329: ------------------------------------- SLF4J "fixed" the CVE by removing the EventData class. Log4j provides specific support for that class so incrementing the version of SLF4J will cause log4j-slf4j-impl to fail to compile. Removing the support would be a break in compatibility (which is essentially what SLF4J did in its fix). SLF4J 1.8 releases will not work with log4j-slf4j-impl. For that log4j-slf4j18-impl must be used. > Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088 > ---------------------------------------------------------------- > > Key: LOG4J2-2329 > URL: https://issues.apache.org/jira/browse/LOG4J2-2329 > Project: Log4j 2 > Issue Type: Bug > Components: SLF4J Bridge > Affects Versions: 2.11.0 > Reporter: Sven Kubiak > Priority: Major > > Latest version of log4j-slf4j-impl has a dependency to slf4j-api version > 1.8.0-Alpha2. All version before 1.8.0-Beta2 have vulnerable due to > CVE-2018-8088. > [https://nvd.nist.gov/vuln/detail/CVE-2018-8088] > Can we update to at least 1.8.0-Beta2? -- This message was sent by Atlassian Jira (v8.3.4#803005)