You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "Filip (Jira)" <ji...@apache.org> on 2020/09/25 09:32:00 UTC

[jira] [Commented] (ZOOKEEPER-2342) Migrate to Log4J 2.

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17202026#comment-17202026 ] 

Filip commented on ZOOKEEPER-2342:
----------------------------------

[~cnauroth], upgrading to zookeeper 3.6.2 I see that Log4j is still not migrated to version 2. Scanning zookeeper image we found out vulnerabilities related to Log4j. Is this upgrade happening this year? Can we expect it in the next version?
Thanks

> Migrate to Log4J 2.
> -------------------
>
>                 Key: ZOOKEEPER-2342
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2342
>             Project: ZooKeeper
>          Issue Type: Bug
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>            Priority: Major
>             Fix For: 3.7.0
>
>         Attachments: ZOOKEEPER-2342.001.patch
>
>
> ZOOKEEPER-1371 removed our source code dependency on Log4J.  It appears that this also removed the Log4J SLF4J binding jar from the runtime classpath.  Without any SLF4J binding jar available on the runtime classpath, it is impossible to write logs.
> This JIRA investigated migration to Log4J 2 as a possible path towards resolving the bug introduced by ZOOKEEPER-1371.  At this point, we know this is not feasible short-term.  This JIRA remains open to track long-term migration to Log4J 2.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)