vlsi commented on issue #5937: URL: https://github.com/apache/jmeter/issues/5937#issuecomment-2270562765
> Users can remove the status attribute and fall back to the default behavior. Let me try again: the warning talks to wrong people. JMeter application users can't fix their JMeter configuration so it adheres to the new best practices. Of course they can silence the warning, however, it does not fix it. The only way to truly fix the warning is to change JMeter sources, so the warning should talk to JMeter devs rather than JMeter users. --- >downstream users can simply switch revert https://github.com/apache/jmeter/pull/5859 Unfortunately, log4j2 does not back-patch security fixes. In other words, if we stay on log4j 2.17.x (the version before #5859), then we would have to upgrade anyway if a new CVE is discovered. I wish they reconsider and start patching the security issues in old releases. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@jmeter.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org