Dear Slf4j team,
I noticed that when using Slf4j with log4j the dependency that gets
pulled by Slf4j is outdated (log4j-1.2.17.jar). Log4J 1.2.17 reached end
of life in 2015 (see http://logging.apache.org/log4j/1.2/download.html).
This leads to the following problems:
* Log4J 1.2.17 contains a security vulnerability (see
https://nvd.nist.gov/vuln/detail/CVE-2019-17571 )
* Log4J 1.2.17 contains a dirty bugfix that messes up the java module
system (see
https://stackoverflow.com/questions/60130941/resolutionexception-in-java-11
)
Therefore I wanted to ask: are there any plans to switch to a newer
Log4J 2.x version in the near future? I guess I am not the only one
having problems with this dependency.
Best regards,
Florian Poehr
_______________________________________________
slf4j-dev mailing list
slf4j-dev@qos.ch
http://mailman.qos.ch/mailman/listinfo/slf4j-dev
