This appears to be plugin dependencies though, not project dependencies. The
issue should really be raised with whatever plugin is causing it to be used. My
recollection is that Maven itself hasn’t used Log4j in quite some time for
logging.
Ralph
> On Mar 3, 2022, at 8:21 AM, Gary Gregory
Also note that in log4j 2.17.2 that was released a few days ago, I added
many improvements to the log4j-1.2-api module which aims to provide
compatibility with 1.2.
Gary
On Thu, Mar 3, 2022, 08:37 Bernd Eckenfels wrote:
> All of the (known) remaining log4j1.x security bugs (none of which are
Do note that reload4j is not 100% compatible with log4j 1.2.17, code has
just be deleted to "fix" some CVEs.
Gary
On Thu, Mar 3, 2022, 08:37 Bernd Eckenfels wrote:
> All of the (known) remaining log4j1.x security bugs (none of which are as
> severe as log4shell) are fixed in reload4j 1.2.18+.
All of the (known) remaining log4j1.x security bugs (none of which are as
severe as log4shell) are fixed in reload4j 1.2.18+. If you need to stick with
1.2 you should use that. Otherwise you can try to migrate to the log4j bridge,
it’s compatibility was increased in 2.17.2 or 2.12.4.
Gruss
I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security
Vulnerabity?
Is this not the case?
Thanks John
M.
Sent from my Verizon, Samsung Galaxy smartphone
Original message
From: John Patrick
Date: 3/3/22 4:07 AM (GMT-05:00)
To: Maven Developers List
Cc: David
Hey guys
Let’s be courteous and civil.
As part of vulnerability management, an assessment has to be made about the
potential security impact of a vulnerability in software.
New vulnerabilities are found every day on older components and it is not
practical nor feasible to chase down every
Sorry I thought you where talking about log4j v2, not v1. I can see it
downloads the metadata about the project but non or the jars;
local-repo/log4j
local-repo/log4j/log4j
local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom
local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1
local-repo/log4j