You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@jena.apache.org by Andy Seaborne <an...@apache.org> on 2020/04/21 10:38:11 UTC

[ANN] Logging change.

We are changing the logging provider for slf4j from log4j1 to log4j2 at 
the next release, 3.15.0.

Largely, this is an invisible change.

This message is let anyone who has customized the logging output from 
Fuseki that this change is coming. It is necessary because log4j1 has a 
security alert (CVE-2019-17571) raised against it and the recommended 
response is to move to log4j2. While the specific issue does not affect 
the use made by Fuseki, the code is in the jarfile.

Fuseki will ship with log4j2 at version 3.15.0.

log4j1 configuration files are not compatible with log4j2.

API-using code has had to have its own slf4j setup for sometime.

Where the project artifacts include a full logging setup, such a Fuseki, 
there is no change needed when using the default output provided. It is 
customizations that may be impacted.

Applications using Jena LogCtl class will notice that log4j1 is not 
longer available.

The changes are in the development builds now.

----

log4j1 is EOL and getting no fixes so if you use it, beware you may need 
to change sometime. To do that, use this dependency:

     <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-slf4j-impl</artifactId>
       <version>2.13.1</version>
     </dependency>

in place of:

     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-log4j12</artifactId>
       <version>...</version>
     </dependency>
     <dependency>
       <groupId>log4j</groupId>
       <artifactId>log4j</artifactId>
       <version>...</version>
     </dependency>

and change the logging configuration file.