[jira] [Comment Edited] (SPARK-6305) Add support for log4j 2.x to Spark

Sat, 22 Feb 2020 16:02:10 -0800 


    [ 
https://issues.apache.org/jira/browse/SPARK-6305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17042761#comment-17042761
 ] 

Ralph Goers edited comment on SPARK-6305 at 2/23/20 12:01 AM:
--------------------------------------------------------------

[~ste...@apache.org]  Regarding your comment on Sept 17, 2019 - 
[CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] was created 
recently against Log4j 1. It is essentially the same as the CVE you noted above 
against Log4j 2. It was created specifically because people were confused in 
thinking that CVE-2017-5645 did not apply to Log4j 1. CVE-2019-17571 has been 
mitigated in third party distributions of Log4j but will never be fixed in an 
ASF distribution, so any use of Log4j 1 will now permanently show up in 
security scans, although some projects (ZOOKEEPER-3677) are choosing to 
suppress the security failure.

Also note that Log4j 2 now offers [experimental 
support|http://logging.apache.org/log4j/2.x/manual/compatibility.html] for 
Log4j 1 configuration files.


was (Author: ralph.go...@dslextreme.com):
[~ste...@apache.org]  Regarding your comment on Sept 17, 2019 - 
[CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] was created 
recently against Log4j 1. It is essentially the same as the CVE you noted above 
against Log4j 2. It was created specifically because people were confused in 
thinking that CVE-2017-5645 did not apply to Log4j 1. CVE-2019-17571 has been 
mitigated in third party distributions of Log4j but will never be fixedin an 
ASF distribution, so any use of Log4j 1 will now permanently show up in 
security scans, although some projects (ZOOKEEPER-3677) are choosing to 
suppress the security failure.

Also note that Log4j 2 now offers [experimental 
support|http://logging.apache.org/log4j/2.x/manual/compatibility.html] for 
Log4j 1 configuration files.

> Add support for log4j 2.x to Spark
> ----------------------------------
>
>                 Key: SPARK-6305
>                 URL: https://issues.apache.org/jira/browse/SPARK-6305
>             Project: Spark
>          Issue Type: Improvement
>          Components: Build
>            Reporter: Tal Sliwowicz
>            Priority: Minor
>
> log4j 2 requires replacing the slf4j binding and adding the log4j jars in the 
> classpath. Since there are shaded jars, it must be done during the build.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to