Hello Mitali, For one, as clearly indicated in the project page[1], Apache Log4j 1 reached its End-of-Life in 2015 and hence, is not supported by the Apache Logging Services anymore. It is not just unmaintained, but also subject to vulnerabilities. We strongly advise you to upgrade to the latest version of Log4j 2, which provides almost a drop-in replacement for Log4j 1 features and offers more!
AFAIC, Apache Log4j 1 never had a `1.2.9-1.0` release[2]. I suspect it to be a version installed by a package manager (rpm, deb, etc.) or such. I suggest you check who/what placed those JARs there. But above all, please stop using Log4j 1 and upgrade! Kind regards. [1] https://github.com/apache/logging-log4j1 [2] https://central.sonatype.com/artifact/log4j/log4j/1.2.17/versions On Sat, Apr 22, 2023 at 12:39 AM Jagdale, Mitali <mijagd...@deloitte.com.invalid> wrote: > Hello Apache Dev Team, > > Situation: Both the libraries log4j-1.2.9.jar and log4j-1.2.9-1.0.jar are > getting flagged on the same server. > > Question: If possible, I was wondering if you could provide some technical > insight on the difference between both of the libraries. > > Moreover, please feel to point me towards any link as well that can help > clarify my question. Thank you. > > Sincerely, > Mitali > > This message (including any attachments) contains confidential information > intended for a specific individual and purpose, and is protected by law. If > you are not the intended recipient, you should delete this message and any > disclosure, copying, or distribution of this message, or the taking of any > action based on it, by you is strictly prohibited. > > Deloitte refers to a Deloitte member firm, one of its related entities, or > Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a > separate legal entity and a member of DTTL. DTTL does not provide services > to clients. Please see www.deloitte.com/about to learn more. > > v.E.1 >