I have never used either Chainsaw or anything to do with Java serialization of Log4j events. This said, you have my full support of ditching that feature off from log4cxx – preferably in the next major release? Java serialization, putting aside its good intentions, has been a generous source of many security vulnerabilities.
On Sat, Sep 25, 2021 at 3:49 AM Robert Middleton <rmiddle...@apache.org> wrote: > I've been working on ABI compliance for log4cxx lately(LOGCXX-516), > and I'm running across a few classes that have to do with sending log > messages as Java serialized messages. Since we've removed the ability > to receive these messages through Chainsaw, and due to Java's known > security issues with object deserialization, is there any reason in > keeping this feature around? > > Note: I'm currently imagining that this would be for the next major > release of log4cxx, which I wouldn't expect for at least another year. > Whenever that release is, I expect that the release would break a lot > of code, so removing the serialization at that time makes the most > sense to me. > > -Robert Middleton >
