[log4j] JSON/YAML config is found but dependencies are missing (#1501)

2023-10-05 Thread Volkan Yazıcı 
Ralph, since you were involved in the "No error emitted when using a YAML
configuration without additional dependency" issue
 (#1501) and the PR
 (#1592) associated
with it, could you help to make some progress there? Maybe guide the PR
author a bit?

[log4j] Improving log4j security

2023-10-05 Thread Klebanov, Vladimir 
Hello,

I would like to contribute some code in order to make log4j usage more secure. 
I have now sent two emails to the log4j security team but did not receive a 
response. Is anybody here interested? How can we discuss this further?

Thanks,
Vladimir

Re: [log4j] Improving log4j security

2023-10-05 Thread Piotr P. Karwasz 
Hi Vladimir,

On Thu, 5 Oct 2023 at 21:47, Klebanov, Vladimir
 wrote:
> I would like to contribute some code in order to make log4j usage more 
> secure. I have now sent two emails to the log4j security team but did not 
> receive a response. Is anybody here interested? How can we discuss this 
> further?

Both times (10 Aug 2023, 23:19 and 29 Aug 2023, 20:49) we sent an
answer to your address at sap.com.

Anyway the general consensus was that the issue with generating HTML
using PatternLayout does not constitute a security problem and you can
discuss it on this mailing list or file an issue in Github issues.

Piotr