he is complaining about this [image: image.png] JB Onofré <j...@nanthrax.net> 于2022年1月4日周二 02:03写道:
> I don’t understand. > > Again ActiveMQ 5.16 is NOT impacted by log4shell. > > So why upgrading for that ? > > And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on that > date. > > I would rather explain to your customer that ActiveMQ still use log4j 1 > and so no need to update. > > We already explained this several time on the mailing list. > > If you want I can talk to you and your customer to explain and provide > details. > > Regards > JB > > > Le 3 janv. 2022 à 18:35, Laurent Blanquet <lblanq...@b2btechno.net> a > écrit : > > > > In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why > they want to migrate. > > > > Good news: we've obtained a deadline to 31/01/2022. > > > > Are you confident guys that we'll have the 5.17 release for this date or > do we have to develop some kind of patch ? > > > > Regards, > > > > Laurent > > -----Message d'origine----- > > De : Jean-Baptiste Onofré <j...@nanthrax.net> > > Envoyé : lundi 3 janvier 2022 18:00 > > À : dev@activemq.apache.org > > Objet : Re: ActiveMQ 5.17 and log4j2 > > > > Log4j2 is only impacted, not log4j 1.x. > > > > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell > vulnerability. > > > > Regards > > JB > > > >> On 03/01/2022 17:30, Xeno Amess wrote: > >> Just show the log4j2 cve list to that customer, and persuade him no > hurry to migrate. > >> > >> XenoAmess > >> ________________________________ > >> From: JB Onofré <j...@nanthrax.net> > >> Sent: Monday, January 3, 2022 11:31:30 PM > >> To: dev@activemq.apache.org <dev@activemq.apache.org> > >> Subject: Re: ActiveMQ 5.17 and log4j2 > >> > >> About 5.16 no way: it’s log4j 1.x > >> > >> And log4j 1.x is not impacted by log4shell vulnerability so no need to > update. > >> > >> Regards > >> JB > >> > >>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lblanq...@b2btechno.net> > a écrit : > >>> > >>> Hi Guys, > >>> > >>> It seems that the latest version available is still using log4j 1.2.17. > >>> > >>> Unfortunately we have a customer who has a strong requisite to migrate > to log4j2 before 10 of January ! > >>> > >>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use > log4j 2.17 ? > >>> > >>> Regards, > >>> > >>> Laurent > >> > >
