[jira] [Commented] (LOG4J2-2329) Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088
[ https://issues.apache.org/jira/browse/LOG4J2-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17184704#comment-17184704 ] Ralph Goers commented on LOG4J2-2329: - Additional note - log4j-slf4j18-impl was updated to 1.8.0-beta4 by LOG4J2-2745. The CVE can be avoided by simply not using slf4j-ext or the EventData class. An argument could be made that we should also remove support for EventData. Admittedly it was a hack added to SLF4J (by me) because its API doesn't support Messages like Log4j does. User's who want to avoid the CVE need only upgrade SLF4J to a more recent 1.7 version. It will work fine with Log4j so long as the EventData isn't present. But removing it entirely and upgrading the version would give users warm fuzzies. > Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088 > > > Key: LOG4J2-2329 > URL: https://issues.apache.org/jira/browse/LOG4J2-2329 > Project: Log4j 2 > Issue Type: Bug > Components: SLF4J Bridge >Affects Versions: 2.11.0 >Reporter: Sven Kubiak >Priority: Major > > Latest version of log4j-slf4j-impl has a dependency to slf4j-api version > 1.8.0-Alpha2. All version before 1.8.0-Beta2 have vulnerable due to > CVE-2018-8088. > [https://nvd.nist.gov/vuln/detail/CVE-2018-8088] > Can we update to at least 1.8.0-Beta2? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (LOG4J2-2329) Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088
[ https://issues.apache.org/jira/browse/LOG4J2-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17184696#comment-17184696 ] Ralph Goers commented on LOG4J2-2329: - SLF4J "fixed" the CVE by removing the EventData class. Log4j provides specific support for that class so incrementing the version of SLF4J will cause log4j-slf4j-impl to fail to compile. Removing the support would be a break in compatibility (which is essentially what SLF4J did in its fix). SLF4J 1.8 releases will not work with log4j-slf4j-impl. For that log4j-slf4j18-impl must be used. > Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088 > > > Key: LOG4J2-2329 > URL: https://issues.apache.org/jira/browse/LOG4J2-2329 > Project: Log4j 2 > Issue Type: Bug > Components: SLF4J Bridge >Affects Versions: 2.11.0 >Reporter: Sven Kubiak >Priority: Major > > Latest version of log4j-slf4j-impl has a dependency to slf4j-api version > 1.8.0-Alpha2. All version before 1.8.0-Beta2 have vulnerable due to > CVE-2018-8088. > [https://nvd.nist.gov/vuln/detail/CVE-2018-8088] > Can we update to at least 1.8.0-Beta2? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (LOG4J2-2329) Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088
[ https://issues.apache.org/jira/browse/LOG4J2-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17184657#comment-17184657 ] Krishan Mistry commented on LOG4J2-2329: Also reported by [Synk|https://snyk.io/vuln/SNYK-JAVA-ORGSLF4J-32138] with the same CVE Lets upgrade to the latest minor version v1.7.30 (at the time of writing). This is will likely have prevent less breaking changes to log4j2 builds. SLF4J 1.8 is still slowly being developed, and we should push forward with upgrading to v1.7.30 > Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088 > > > Key: LOG4J2-2329 > URL: https://issues.apache.org/jira/browse/LOG4J2-2329 > Project: Log4j 2 > Issue Type: Bug > Components: SLF4J Bridge >Affects Versions: 2.11.0 >Reporter: Sven Kubiak >Priority: Major > > Latest version of log4j-slf4j-impl has a dependency to slf4j-api version > 1.8.0-Alpha2. All version before 1.8.0-Beta2 have vulnerable due to > CVE-2018-8088. > [https://nvd.nist.gov/vuln/detail/CVE-2018-8088] > Can we update to at least 1.8.0-Beta2? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (LOG4J2-2329) Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088
[ https://issues.apache.org/jira/browse/LOG4J2-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16458983#comment-16458983 ] Gary Gregory commented on LOG4J2-2329: -- What happens when you do a build with the new dependency? > Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088 > > > Key: LOG4J2-2329 > URL: https://issues.apache.org/jira/browse/LOG4J2-2329 > Project: Log4j 2 > Issue Type: Bug > Components: SLF4J Bridge >Affects Versions: 2.11.0 >Reporter: Sven Kubiak >Priority: Major > > Latest version of log4j-slf4j-impl has a dependency to slf4j-api version > 1.8.0-Alpha2. All version before 1.8.0-Beta2 have vulnerable due to > CVE-2018-8088. > [https://nvd.nist.gov/vuln/detail/CVE-2018-8088] > Can we update to at least 1.8.0-Beta2? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
