well log4j1 has its own vulnerabilities too. Xeno Amess <xenoam...@gmail.com> 于2022年1月4日周二 02:09写道:
> he is complaining about this > [image: image.png] > > JB Onofré <j...@nanthrax.net> 于2022年1月4日周二 02:03写道: > >> I don’t understand. >> >> Again ActiveMQ 5.16 is NOT impacted by log4shell. >> >> So why upgrading for that ? >> >> And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on >> that date. >> >> I would rather explain to your customer that ActiveMQ still use log4j 1 >> and so no need to update. >> >> We already explained this several time on the mailing list. >> >> If you want I can talk to you and your customer to explain and provide >> details. >> >> Regards >> JB >> >> > Le 3 janv. 2022 à 18:35, Laurent Blanquet <lblanq...@b2btechno.net> a >> écrit : >> > >> > In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why >> they want to migrate. >> > >> > Good news: we've obtained a deadline to 31/01/2022. >> > >> > Are you confident guys that we'll have the 5.17 release for this date >> or do we have to develop some kind of patch ? >> > >> > Regards, >> > >> > Laurent >> > -----Message d'origine----- >> > De : Jean-Baptiste Onofré <j...@nanthrax.net> >> > Envoyé : lundi 3 janvier 2022 18:00 >> > À : dev@activemq.apache.org >> > Objet : Re: ActiveMQ 5.17 and log4j2 >> > >> > Log4j2 is only impacted, not log4j 1.x. >> > >> > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell >> vulnerability. >> > >> > Regards >> > JB >> > >> >> On 03/01/2022 17:30, Xeno Amess wrote: >> >> Just show the log4j2 cve list to that customer, and persuade him no >> hurry to migrate. >> >> >> >> XenoAmess >> >> ________________________________ >> >> From: JB Onofré <j...@nanthrax.net> >> >> Sent: Monday, January 3, 2022 11:31:30 PM >> >> To: dev@activemq.apache.org <dev@activemq.apache.org> >> >> Subject: Re: ActiveMQ 5.17 and log4j2 >> >> >> >> About 5.16 no way: it’s log4j 1.x >> >> >> >> And log4j 1.x is not impacted by log4shell vulnerability so no need to >> update. >> >> >> >> Regards >> >> JB >> >> >> >>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lblanq...@b2btechno.net> >> a écrit : >> >>> >> >>> Hi Guys, >> >>> >> >>> It seems that the latest version available is still using log4j >> 1.2.17. >> >>> >> >>> Unfortunately we have a customer who has a strong requisite to >> migrate to log4j2 before 10 of January ! >> >>> >> >>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use >> log4j 2.17 ? >> >>> >> >>> Regards, >> >>> >> >>> Laurent >> >> >> >>
