There is a Jira issue to do that but as far as I know the Security bug was never addressed in that code. In a quick glance at it I still see it supporting Java serialized objects without any kind of whitelisting. I don’t see anything in that repo besides the log server and I wouldn’t want to release something with known security problems.
Ralph > On Dec 3, 2020, at 8:09 AM, Gary Gregory <garydgreg...@gmail.com> wrote: > > Hi All: > > We've never released from > https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm > currently using a SNAPSHOT build. Any thoughts on releasing from there? > > Gary