Hey all, I've been trying to go through Jira issues and mailing list archives to understand ongoing plans for Log4j 1.x upgrades. I know technically Hadoop is not listed as vulnerable, but some more cautious organizations are looking to upgrade anyway.
It seems like 3.4.x and beyond releases are talking about moving to Log4j2 or Logback (per https://issues.apache.org/jira/browse/HADOOP-12956 and https://issues.apache.org/jira/browse/HADOOP-16206). It seems like 3.2.x and 3.3.x are talking about moving to Reload4j (per https://issues.apache.org/jira/browse/HADOOP-18088 and https://github.com/apache/hadoop/pull/3906). Two questions: - Does that sound accurate? - Are there any plans to patch Reload4j back into 2.x releases as well? Thank you for your time and help and all your hard work on this project! ~Brent
