You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/10/11 21:24:00 UTC

[jira] [Commented] (IMPALA-11628) Investigate replacing log4j with reload4j

    [ https://issues.apache.org/jira/browse/IMPALA-11628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17616079#comment-17616079 ] 

ASF subversion and git services commented on IMPALA-11628:
----------------------------------------------------------

Commit a1fddf1022b76d5226fe9d77f059f37bdee46c13 in impala's branch refs/heads/master from Michael Smith
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=a1fddf102 ]

IMPALA-11628: Switch to reload4j, update slf4j

Switches from log4j 1.x to reload4j, a maintained fork. Updates slf4j to
the latest version so we can include all CVE fixes.

slf4j 2.0.x requires Java 8 and adds a backward-compatible fluent
logging api. Neither seems like a problem for Impala.

Bans all use of log4j 1.x so we only use reload4j.

Change-Id: I5238b9c8247af3e0f4cb05c0b76a75bfee37f5c8
Reviewed-on: http://gerrit.cloudera.org:8080/19102
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Reviewed-by: Joe McDonnell <jo...@cloudera.com>


> Investigate replacing log4j with reload4j
> -----------------------------------------
>
>                 Key: IMPALA-11628
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11628
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Frontend
>    Affects Versions: Impala 4.2.0
>            Reporter: Joe McDonnell
>            Assignee: Michael Smith
>            Priority: Major
>
> log4j1 has been unmaintained and end of life for a while. Given the need for security and fixes for CVEs, this is unmaintainable. One option is to switch to log4j2, and that is tracked in IMPALA-9601. However, there is also the reload4j project (https://reload4j.qos.ch/) which is maintaining a patched log4j1.
> If this is a drop-in replacement, then this may be an easier path in the short term. It sounds worth exploring.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org