OK. Then I guess I forgot since it has been so long. Ralph
> On Dec 10, 2020, at 1:09 PM, Gary Gregory <garydgreg...@gmail.com> wrote: > > But there *is* an allowed list of Java classes and packages configured > in org.apache.logging.log4j.util.FilteredObjectInputStream which the > log4j-server module's servers uses through ObjectInputStreamLogEventBridge. > > Gary > > On Thu, Dec 3, 2020 at 10:33 AM Ralph Goers <ralph.go...@dslextreme.com> > wrote: > >> There is a Jira issue to do that but as far as I know the Security bug was >> never addressed in that code. In a quick glance at it I still see it >> supporting Java serialized objects without any kind of whitelisting. I >> don’t see anything in that repo besides the log server and I wouldn’t want >> to release something with known security problems. >> >> Ralph >> >>> On Dec 3, 2020, at 8:09 AM, Gary Gregory <garydgreg...@gmail.com> wrote: >>> >>> Hi All: >>> >>> We've never released from >>> https://gitbox.apache.org/repos/asf?p=logging-log4j-tools.git and I'm >>> currently using a SNAPSHOT build. Any thoughts on releasing from there? >>> >>> Gary >> >> >>
