+1 to deprecate the 'ignite-log4j' module and remove it in the next releases.
вт, 1 мар. 2022 г. в 20:40, Sergei Ryzhov :
>
> Anton, Nikolay thanks.
>
> With this ticket[1] I change the default logger to ignite-log4j2
> And I will mark log4j as deprecated.
>
> before the review, I will check on
Anton, Nikolay thanks.
With this ticket[1] I change the default logger to ignite-log4j2
And I will mark log4j as deprecated.
before the review, I will check on the TC-bot and check on the Ducktests.
[1] https://issues.apache.org/jira/browse/IGNITE-16626
пн, 28 февр. 2022 г. в 19:10, Anton
> But, seems, we can’t do it right now, because of existing deployments.
Correct
> Let’s mark this module as deprecated and remove it in 2.14?
Possible way
Also, we must check this will not cause problems at tests (eg. Ducktests)
On Mon, Feb 28, 2022 at 6:48 PM Nikolay Izhikov wrote:
> Hello,
Hello, Anton.
+1 to remove outdated logging library.
But, seems, we can’t do it right now, because of existing deployments.
Let’s mark this module as deprecated and remove it in 2.14?
> Not every deployment require to be secured.
Disagree.
We should update or workaround known security issues
Your deployment has vulnerabilities only in case you configured log4j as a
logger.
Not every deployment require to be secured.
Not every deployment requires to use of log4j.
We must change the default logging library if the current is log4j and
provide the ability to use log4j as before (where it
Hello, Igniters.
log4j 1.2.17 is not supported and contains critical vulnerabilities
I suggest excluding log4j 1.2.17 and module ignite-log4j from ignite[1].
Direct vulnerabilities:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305