Re: [cross-project-issues-dev] Log4j 1.x vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cross-project-issues-dev] Log4j 1.x vulnerability

From: Ed Merks <ed.merks@xxxxxxxxx>
Date: Tue, 8 Feb 2022 15:54:19 +0100
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cross-project-issues-dev/>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1

Dirk,

Thanks. That's really great! It would be great for this release cycle if it were jar signed and available from Orbit so that we could ship it with 2022-03...

There are people who are concerned:

https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775

Though I'm not sure if they would consider the problem being fixed in 1.2.19 a fact and even if its a fact if it would be a fact that matters...

Regards,
Ed

On 08.02.2022 15:48, Dirk Fauth via cross-project-issues-dev wrote:

Hi,

I got in contact with the reload4j team. They changed the Bundle-SymbolicName to org.apache.log4j and fixed several OSGi meta data related issues in the meanwhile. Today they published 1.2.19 which should work as a drop-in replacement in Eclipse based applications where Require-Bundle was used. My local tests worked so far.

That said, re-bundling for Orbit should not be necessary as reload4j could directly be consumed via Maven Central.

Just wanted to keep you updated.

Greez,

Dirk

Ed Willink <ed.willink@xxxxxxxxx> schrieb am Mi., 26. Jan. 2022, 13:47:

Hi

On 26/01/2022 07:48, Christoph Läubrich wrote:
> Why not using SLF4J in all places and let the user choose the
> implementation with their favorite CVEs?

Use of SLF4J has been suggested before and so I tried to be a good
Eclipse citizen. My failed attempts are described in:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532

If SLF4J is to be used, can someone please ensure that the platform is
fit for purpose and that there is a good tutorial on how to do really
boring logging.

Regards

Ed Willink

--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Follow-Ups:
- Re: [cross-project-issues-dev] Log4j 1.x vulnerability
  - From: Dirk Fauth

References:
- [cross-project-issues-dev] Log4j 1.x vulnerability
  - From: Dirk Fauth
- Re: [cross-project-issues-dev] Log4j 1.x vulnerability
  - From: Ed Merks
- Re: [cross-project-issues-dev] Log4j 1.x vulnerability
  - From: Dietrich, Christian
- Re: [cross-project-issues-dev] Log4j 1.x vulnerability
  - From: Christoph Läubrich
- Re: [cross-project-issues-dev] Log4j 1.x vulnerability
  - From: Ed Willink
- Re: [cross-project-issues-dev] Log4j 1.x vulnerability
  - From: Dirk Fauth

Prev by Date: Re: [cross-project-issues-dev] Log4j 1.x vulnerability
Next by Date: Re: [cross-project-issues-dev] Log4j 1.x vulnerability
Previous by thread: Re: [cross-project-issues-dev] Log4j 1.x vulnerability
Next by thread: Re: [cross-project-issues-dev] Log4j 1.x vulnerability
Index(es):
- Date
- Thread

Breadcrumbs