On Thu, 23 Dec 2021 at 15:13, Volkan Yazıcı <vol...@yazi.ci> wrote:
> Vladimir, mind helping us to quantify this "need", please? To the best of > my knowledge, nobody has reached out to us with such a request except you > and Leo. That's not quite right. A while ago I asked if the RedHat fix could be added to log4j-1 to create version 1.2.18. This was to fix https://www.cvedetails.com/cve/CVE-2019-17571. RedHat have already implemented a fix for this which is included in RHEL. It was pointed out then that since log4j-1 is EOL no further releases would be made. I was very disappointed. Now people are talking about resurrecting log4j-1 just for fixing CVEs I would like people to consider doing this one first please. The Red Hat announcement of their fix can be seen at https://access.redhat.com/security/cve/cve-2019-17571 Back in the day I tracked down their code fix and satisfied myself that it does the job. It was a bit of effort to track down but I'm sure Red hat would help if we asked them nicely.