On Wed, Mar 2, 2022 at 2:43 AM Brent <[email protected]> wrote:
> Hey all, > > I've been trying to go through Jira issues and mailing list archives to > understand ongoing plans for Log4j 1.x upgrades. I know technically Hadoop > is not listed as vulnerable, but some more cautious organizations are > looking to upgrade anyway. > > It seems like 3.4.x and beyond releases are talking about moving to Log4j2 > or Logback (per https://issues.apache.org/jira/browse/HADOOP-12956 and > https://issues.apache.org/jira/browse/HADOOP-16206). > > It seems like 3.2.x and 3.3.x are talking about moving to Reload4j (per > https://issues.apache.org/jira/browse/HADOOP-18088 and > https://github.com/apache/hadoop/pull/3906). > > Two questions: > - Does that sound accurate? > That sounds about right. > - Are there any plans to patch Reload4j back into 2.x releases as well? > I think a bigger question is whether or not we have someone who would like to volunteer to be a release manager for the 2.10.2 release. The last 2.x release was over a year ago. > > Thank you for your time and help and all your hard work on this project! > > ~Brent >
