Issue tracking for Log4j 1 was handled in the ASF Bugzilla system. All the issues are still there but I believe the issue tracker was frozen when it was declared EOL.
Ralph > On Dec 16, 2021, at 1:19 PM, Homer, Tony <tony.ho...@intel.com> wrote: > > There has been some discussion about releasing a security update for log4j > 1.x (1.2.18, perhaps), both here and on > https://github.com/apache/logging-log4j2/pull/608. > Is there a JIRA open for this work? > I'd like to provide some input, specifically that any security update should > consider all of the following CVES: > > https://nvd.nist.gov/vuln/detail/CVE-2019-17571 > consider starting with the Debian patch > discussion: https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html > download: https://packages.debian.org/stretch/liblog4j1.2-java > changelog: > https://metadata.ftp-master.debian.org/changelogs//main/a/apache-log4j1.2/apache-log4j1.2_1.2.17-7+deb9u1_changelog<https://metadata.ftp-master.debian.org/changelogs/main/a/apache-log4j1.2/apache-log4j1.2_1.2.17-7+deb9u1_changelog> > > https://nvd.nist.gov/vuln/detail/CVE-2020-9488 > consider removing SMTPAppender (brute force mitigation) > > https://nvd.nist.gov/vuln/detail/CVE-2021-4104 > consider removing JMSAppender (brute force mitigation)
