There is a Jira issue to do that but as far as I know the Security bug was 
never addressed in that code. In a quick glance at it I still see it supporting 
Java serialized objects without any kind of whitelisting. I don’t see anything 
in that repo besides the log server and I wouldn’t want to release something 
with known security problems.

Ralph

> On Dec 3, 2020, at 8:09 AM, Gary Gregory <garydgreg...@gmail.com> wrote:
> 
> Hi All:
> 
> We've never released from
> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm
> currently using a SNAPSHOT build. Any thoughts on releasing from there?
> 
> Gary


Reply via email to