ceki edited a comment on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991380319
When there are literally millions of log4j 1.x users out there, can you stop toying around? There is no lookup expansion in log4j 1.x and it does not suffer from CVE-2021-44228. How hard is it to admit? Having said this, log4j 1.x is no longer being maintained with all the security implications that situation entails. Thus, you should seriously consider migrating to one of log4j 1.x successors such as SLF4J/logback, although you probably do not need to do so today with the utmost urgency. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
