You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "Martin Tzvetanov Grigorov (Jira)" <ji...@apache.org> on 2022/01/13 14:01:00 UTC
[jira] [Commented] (AVRO-3304) avro-tools Update log4j dependency for critical vulnerability
[ https://issues.apache.org/jira/browse/AVRO-3304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17475382#comment-17475382 ]
Martin Tzvetanov Grigorov commented on AVRO-3304:
-------------------------------------------------
avro-tools uses Log4j 1.x which is not maintained for 7 years now.
@ Avro team: is it OK to replace it with slf4j-simple ?
> avro-tools Update log4j dependency for critical vulnerability
> -------------------------------------------------------------
>
> Key: AVRO-3304
> URL: https://issues.apache.org/jira/browse/AVRO-3304
> Project: Apache Avro
> Issue Type: Task
> Components: tools
> Affects Versions: 1.11.0
> Reporter: Daniel Nash
> Priority: Major
>
> Our company security is having a fit because Nessus scans are triggering on the bundled log4j in the avro-tools.jar. Please update the log4j dependencies to the latest versions to remove the critical vulnerability present in the currently bundled log4j.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)