Okay, my mistake, that makes it 3 people. The PMC is already in the progress of resurrecting 1.x. Once the repo is up, we will be happy to review and merge your PRs, granted they only target security vulnerabilities.
On Fri, Dec 24, 2021 at 9:40 AM Andrew Marlow <[email protected]> wrote: > On Thu, 23 Dec 2021 at 15:13, Volkan Yazıcı <[email protected]> wrote: > > > Vladimir, mind helping us to quantify this "need", please? To the best of > > my knowledge, nobody has reached out to us with such a request except you > > and Leo. > > > That's not quite right. A while ago I asked if the RedHat fix could be > added to log4j-1 to create version 1.2.18. This was to fix > https://www.cvedetails.com/cve/CVE-2019-17571. RedHat have already > implemented a fix for this which is included in RHEL. It was pointed out > then that since log4j-1 is EOL no further releases would be made. I was > very disappointed. Now people are talking about resurrecting log4j-1 just > for fixing CVEs I would like people to consider doing this one first > please. > > The Red Hat announcement of their fix can be seen at > https://access.redhat.com/security/cve/cve-2019-17571 > Back in the day I tracked down their code fix and satisfied myself that it > does the job. It was a bit of effort to track down but I'm sure Red hat > would help if we asked them nicely. >
