You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@storm.apache.org by "PJ Fanning (Jira)" <ji...@apache.org> on 2022/02/05 12:48:00 UTC
[jira] [Commented] (STORM-3812) Storm release packages log4j v1
[ https://issues.apache.org/jira/browse/STORM-3812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487480#comment-17487480 ]
PJ Fanning commented on STORM-3812:
-----------------------------------
[~1zha0] is this a duplicate of STORM-3811?
> Storm release packages log4j v1
> -------------------------------
>
> Key: STORM-3812
> URL: https://issues.apache.org/jira/browse/STORM-3812
> Project: Apache Storm
> Issue Type: Improvement
> Reporter: Liang Zhao
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> log4j v1 is at it's EOL, but due to some implicit package references in maven, some tools/libs is still packaging log4j. All latest releases are all being impacted.
>
> Packages impacted:
> * storm-autocreds
> * storm-kafka-monitor
>
> It would be good to fix/release this together with log4j v2 recent CVEs, thus vulnerability scan will be clear for log4j vulnerability.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)