Re: ActiveMQ 5.17 and log4j2

> Are you confident guys that we'll have the 5.17 release for this date >> or do we have to develop some kind of patch ? >> > >> > Regards, >> > >> > Laurent >> > -Message d'origine- >> > De : Jean-Baptiste Onof

RE: ActiveMQ 5.17 and log4j2

Onofré Envoyé : lundi 3 janvier 2022 19:03 À : dev@activemq.apache.org Objet : Re: ActiveMQ 5.17 and log4j2 I don’t understand. Again ActiveMQ 5.16 is NOT impacted by log4shell. So why upgrading for that ? And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on that date. I would

Re: ActiveMQ 5.17 and log4j2

this date or do > > we have to develop some kind of patch ? > > > > Regards, > > > > Laurent > > -Message d'origine- > > De : Jean-Baptiste Onofré > > Envoyé : lundi 3 janvier 2022 18:00 > > À : dev@activemq.apache.org >

Re: ActiveMQ 5.17 and log4j2

> > On 03/01/2022 17:30, Xeno Amess wrote: > > Just show the log4j2 cve list to that customer, and persuade him no > hurry to migrate. > > > > XenoAmess > > ____________ > > From: JB Onofré > > Sent: Monday, January 3, 2022 11:31:30

Re: ActiveMQ 5.17 and log4j2

> or do we have to develop some kind of patch ? >> > >> > Regards, >> > >> > Laurent >> > -Message d'origine- >> > De : Jean-Baptiste Onofré >> > Envoyé : lundi 3 janvier 2022 18:00 >> > À : dev@activemq.apache

Re: ActiveMQ 5.17 and log4j2

e you confident guys that we'll have the 5.17 release for this date or > do we have to develop some kind of patch ? > > > > Regards, > > > > Laurent > > -Message d'origine- > > De : Jean-Baptiste Onofré > > Envoyé : lundi 3 janvier 2022

Re: ActiveMQ 5.17 and log4j2

> De : Jean-Baptiste Onofré > Envoyé : lundi 3 janvier 2022 18:00 > À : dev@activemq.apache.org > Objet : Re: ActiveMQ 5.17 and log4j2 > > Log4j2 is only impacted, not log4j 1.x. > > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell > vulne

RE: ActiveMQ 5.17 and log4j2

---Message d'origine- De : Jean-Baptiste Onofré Envoyé : lundi 3 janvier 2022 18:00 À : dev@activemq.apache.org Objet : Re: ActiveMQ 5.17 and log4j2 Log4j2 is only impacted, not log4j 1.x. It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell vulnerability. Regar

Re: ActiveMQ 5.17 and log4j2

Amess From: JB Onofré Sent: Monday, January 3, 2022 11:31:30 PM To: dev@activemq.apache.org Subject: Re: ActiveMQ 5.17 and log4j2 About 5.16 no way: it’s log4j 1.x And log4j 1.x is not impacted by log4shell vulnerability so no need to update. Regards JB Le 3 janv. 2022 à

Re: ActiveMQ 5.17 and log4j2

Just show the log4j2 cve list to that customer, and persuade him no hurry to migrate. XenoAmess From: JB Onofré Sent: Monday, January 3, 2022 11:31:30 PM To: dev@activemq.apache.org Subject: Re: ActiveMQ 5.17 and log4j2 About 5.16 no way: it’s log4j 1.x And

Re: ActiveMQ 5.17 and log4j2

About 5.16 no way: it’s log4j 1.x And log4j 1.x is not impacted by log4shell vulnerability so no need to update. Regards JB > Le 3 janv. 2022 à 16:00, Laurent Blanquet a écrit : > > Hi Guys, > > It seems that the latest version available is still using log4j 1.2.17. > > Unfortunately we h

Re: ActiveMQ 5.17 and log4j2

I have a PR about upgrading to log4j 2.17.1 but I didn’t merge it yet. I will in the coming days. Regards JB > Le 3 janv. 2022 à 16:00, Laurent Blanquet a écrit : > > Hi Guys, > > It seems that the latest version available is still using log4j 1.2.17. > > Unfortunately we have a customer

Re: ActiveMQ 5.17 and log4j2

Version 5.17 hasn't even been released yet so it's not possible to say what exact version of Log4j it will be using. As noted on the website [1] and in this PR [2] 5.17 *will* be using Log4j 2.x. Justin [1] https://activemq.apache.org/news/cve-2021-44228 [2] https://github.com/apache/activemq/pu