You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2020/02/23 00:01:00 UTC
[jira] [Commented] (SPARK-6305) Add support for log4j 2.x to Spark
[ https://issues.apache.org/jira/browse/SPARK-6305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17042761#comment-17042761 ]
Ralph Goers commented on SPARK-6305:
------------------------------------
[~stevel@apache.org] Regarding your comment on Sept 17, 2019 - [CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] was created recently against Log4j 1. It is essentially the same as the CVE you noted above against Log4j 2. It was created specifically because people were confused in thinking that CVE-2017-5645 did not apply to Log4j 1. CVE-2019-17571 has been mitigated in third party distributions of Log4j but will never be fixedin an ASF distribution, so any use of Log4j 1 will now permanently show up in security scans, although some projects (ZOOKEEPER-3677) are choosing to suppress the security failure.
Also note that Log4j 2 now offers [experimental support|http://logging.apache.org/log4j/2.x/manual/compatibility.html] for Log4j 1 configuration files.
> Add support for log4j 2.x to Spark
> ----------------------------------
>
> Key: SPARK-6305
> URL: https://issues.apache.org/jira/browse/SPARK-6305
> Project: Spark
> Issue Type: Improvement
> Components: Build
> Reporter: Tal Sliwowicz
> Priority: Minor
>
> log4j 2 requires replacing the slf4j binding and adding the log4j jars in the classpath. Since there are shaded jars, it must be done during the build.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org