That’s unrelated: it’s different and not critical as log4shell. So, just to be clear:
- upgrading to ActiveMQ 5.17.0 regarding log4shell doesn’t make sense to me, as ActiveMQ 5.15/5.16 are not impacted - as ActiveMQ 5.17.0 is a big change compare to 5.16 (it’s a larger jump than from 5.15 to 5.16), I don’t think it’s a good idea to upgrade “just for log4j” - I won’t take any pressure about timing, as we include lot of changes, and still some work to do. Target date is end of January. So, I stay on my standpoint: just stay with ActiveMQ 5.16.3 (5.16.4 is also in preparation), it’s more secure than directly jump to 5.17.0. Regards JB > Le 3 janv. 2022 à 19:09, Xeno Amess <xenoam...@gmail.com> a écrit : > > well log4j1 has its own vulnerabilities too. > > Xeno Amess <xenoam...@gmail.com> 于2022年1月4日周二 02:09写道: > he is complaining about this > > > JB Onofré <j...@nanthrax.net> 于2022年1月4日周二 02:03写道: > I don’t understand. > > Again ActiveMQ 5.16 is NOT impacted by log4shell. > > So why upgrading for that ? > > And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on that > date. > > I would rather explain to your customer that ActiveMQ still use log4j 1 and > so no need to update. > > We already explained this several time on the mailing list. > > If you want I can talk to you and your customer to explain and provide > details. > > Regards > JB > > > Le 3 janv. 2022 à 18:35, Laurent Blanquet <lblanq...@b2btechno.net> a écrit > > : > > > > In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why > > they want to migrate. > > > > Good news: we've obtained a deadline to 31/01/2022. > > > > Are you confident guys that we'll have the 5.17 release for this date or do > > we have to develop some kind of patch ? > > > > Regards, > > > > Laurent > > -----Message d'origine----- > > De : Jean-Baptiste Onofré <j...@nanthrax.net> > > Envoyé : lundi 3 janvier 2022 18:00 > > À : dev@activemq.apache.org > > Objet : Re: ActiveMQ 5.17 and log4j2 > > > > Log4j2 is only impacted, not log4j 1.x. > > > > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell > > vulnerability. > > > > Regards > > JB > > > >> On 03/01/2022 17:30, Xeno Amess wrote: > >> Just show the log4j2 cve list to that customer, and persuade him no hurry > >> to migrate. > >> > >> XenoAmess > >> ________________________________ > >> From: JB Onofré <j...@nanthrax.net> > >> Sent: Monday, January 3, 2022 11:31:30 PM > >> To: dev@activemq.apache.org <dev@activemq.apache.org> > >> Subject: Re: ActiveMQ 5.17 and log4j2 > >> > >> About 5.16 no way: it’s log4j 1.x > >> > >> And log4j 1.x is not impacted by log4shell vulnerability so no need to > >> update. > >> > >> Regards > >> JB > >> > >>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lblanq...@b2btechno.net> a > >>>> écrit : > >>> > >>> Hi Guys, > >>> > >>> It seems that the latest version available is still using log4j 1.2.17. > >>> > >>> Unfortunately we have a customer who has a strong requisite to migrate to > >>> log4j2 before 10 of January ! > >>> > >>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use > >>> log4j 2.17 ? > >>> > >>> Regards, > >>> > >>> Laurent > >> >
