Re: Thoughts on Log4j 3.0

That all makes sense to me. Remko. (Shameless plug) Every java main() method deserves http://picocli.info > On Dec 16, 2019, at 6:17, Ralph Goers wrote: > > Now that 2.13.0 is pushed out I would like to focus again on 3.0. The > primary driver was to make it “compatible” with JPMS, i.e. pro

Re: Thoughts on Log4j 3.0

> On Dec 15, 2019, at 2:44 PM, Gary Gregory wrote: > > All good thoughts. > > I suspect that now that 2.x is on Java 8 there are some clean ups we will > want to do. What comes to mind immediately is deprecating our functional > interfaces in favor of the ones in java.util.function. Then we c

Re: Is there any chance that there will be a security fix for log4j-v1.2.17?

> On Dec 15, 2019, at 3:06 PM, Andrew Marlow wrote: > > On Sun, 15 Dec 2019 at 21:47, Gary Gregory > wrote: > >> Thanks for bring up policy Ralph. For me, a new Log4j 1 release would have >> to patch a pretty catastrophic security vulnerability. >> > > Yes, I

Re: Is there any chance that there will be a security fix for log4j-v1.2.17?

Hello again, I forgot to mention that if you want to see the patch you can do so directly without having to bother with that RPM. Just go to: https://github.com/jboss-logging/log4j-jboss-logmanager/pull/15/commits/2b425859f4218b32fe450fe4de5cfeeea1564ab3 On Sun, 15 Dec 2019 at 22:06, Andrew Marlo

Re: Is there any chance that there will be a security fix for log4j-v1.2.17?

On Sun, 15 Dec 2019 at 21:47, Gary Gregory wrote: > Thanks for bring up policy Ralph. For me, a new Log4j 1 release would have > to patch a pretty catastrophic security vulnerability. > Yes, I believe it is. It's basically the same as CVE-2017-5645. The logger can listen on a socket and receives

Re: Is there any chance that there will be a security fix for log4j-v1.2.17?

Thanks for bring up policy Ralph. For me, a new Log4j 1 release would have to patch a pretty catastrophic security vulnerability. As Ralph pointed out, the first thing I would do is migrate to Log4j 2 and it's support for 1.x. Gary On Sun, Dec 15, 2019 at 4:13 PM Ralph Goers wrote: > While Ga

Re: Is there any chance that there will be a security fix for log4j-v1.2.17?

I have submitted a detailed report to the security mailing list and will keep detail light here. Suffice it to say that I am proposing that the log4j development team adopt a fix that has already been made and published by Red Hat. The fix is to version 1.2.17 and I propose it is used to create ver

Re: Thoughts on Log4j 3.0

All good thoughts. I suspect that now that 2.x is on Java 8 there are some clean ups we will want to do. What comes to mind immediately is deprecating our functional interfaces in favor of the ones in java.util.function. Then we can drop our custom functional interfaces in the 3.0 branch (if that

RE: Is there any chance that there will be a security fix for log4j-v1.2.17?

Hello, I'm working on LOG4PHP, but I wanted to comment on the part about the ancient JDK. It's a situation I've had to deal with in the past (for things like Dell Remote Access). If there ultimately is a decision to patch the old software, there might be a logic in putting together a docker i

Thoughts on Log4j 3.0

Now that 2.13.0 is pushed out I would like to focus again on 3.0. The primary driver was to make it “compatible” with JPMS, i.e. properly define each of the jars as a Java module. Some of our dependencies, like Jackson, have implemented support so that we can now properly reference them, which i

Re: Is there any chance that there will be a security fix for log4j-v1.2.17?

While Gary is correct that we wouldn’t want to discuss a specific security vulnerability in public we can discuss the policy here. For a number of reasons I would say the answer is “No”: It gives the impress that Log4j 1.x is not End-of-Life and that future enhancements and bug fixes could be ac

[ANNOUNCEMENT] Log4j 2.13.0 released!

The Apache Log4j 2 team is pleased to announce the Log4j 2.13.0 release! Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many other modern features such as

Re: [RESULT][VOTE] Release Log4j 2-13.0-rc2

Thanks Ralph! Apologies for not getting a chance to cast an official vote, though I’ll still do a belated verification. On Sun, Dec 15, 2019 at 08:29 Carter Kozak wrote: > Thank you Ralph! > > -ck > > > On Dec 15, 2019, at 7:12 AM, Gary Gregory > wrote: > > > > Yes, thank you Ralph. > > > > Ga

Re: [RESULT][VOTE] Release Log4j 2-13.0-rc2

Thank you Ralph! -ck > On Dec 15, 2019, at 7:12 AM, Gary Gregory wrote: > > Yes, thank you Ralph. > > Gary > >> On Sun, Dec 15, 2019, 03:54 Remko Popma wrote: >> >> Thank you Ralph! >> >> >>> On Dec 15, 2019, at 15:40, Ralph Goers >> wrote: >>> >>> The release vote has passed with +1

Re: Is there any chance that there will be a security fix for log4j-v1.2.17?

Security issues should not be discussed in public for obvious reasons. Please see https://www.apache.org/security/ Gary On Sun, Dec 15, 2019 at 7:01 AM Andrew Marlow wrote: > Hello everyone, > > I know that log4j-v1 was announced as end of life back in 2015 and that all > effort is on log4j2.

Re: [RESULT][VOTE] Release Log4j 2-13.0-rc2

Yes, thank you Ralph. Gary On Sun, Dec 15, 2019, 03:54 Remko Popma wrote: > Thank you Ralph! > > > > On Dec 15, 2019, at 15:40, Ralph Goers > wrote: > > > > The release vote has passed with +1 votes from Carter Kozak, Remko > Popma, Gary Gregory, and Ralph Goers. No other votes were cast. > >

Is there any chance that there will be a security fix for log4j-v1.2.17?

Hello everyone, I know that log4j-v1 was announced as end of life back in 2015 and that all effort is on log4j2. However, I would very much like to see a new version, presumably it would be called 1.2.18, which addresses a security vulnerability. Is this right place to discuss this please? -- Re

Re: [RESULT][VOTE] Release Log4j 2-13.0-rc2

Thank you Ralph! > On Dec 15, 2019, at 15:40, Ralph Goers wrote: > > The release vote has passed with +1 votes from Carter Kozak, Remko Popma, > Gary Gregory, and Ralph Goers. No other votes were cast. > > I will continue with the release process. > > Ralph