There has been some discussion about releasing a security update for log4j 1.x (1.2.18, perhaps), both here and on https://github.com/apache/logging-log4j2/pull/608. Is there a JIRA open for this work? I'd like to provide some input, specifically that any security update should consider all of the following CVES:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571 consider starting with the Debian patch discussion: https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html download: https://packages.debian.org/stretch/liblog4j1.2-java changelog: https://metadata.ftp-master.debian.org/changelogs//main/a/apache-log4j1.2/apache-log4j1.2_1.2.17-7+deb9u1_changelog<https://metadata.ftp-master.debian.org/changelogs/main/a/apache-log4j1.2/apache-log4j1.2_1.2.17-7+deb9u1_changelog> https://nvd.nist.gov/vuln/detail/CVE-2020-9488 consider removing SMTPAppender (brute force mitigation) https://nvd.nist.gov/vuln/detail/CVE-2021-4104 consider removing JMSAppender (brute force mitigation)
