[ https://issues.apache.org/jira/browse/SPARK-6305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17042761#comment-17042761 ]
Ralph Goers edited comment on SPARK-6305 at 2/23/20 12:01 AM: -------------------------------------------------------------- [~ste...@apache.org] Regarding your comment on Sept 17, 2019 - [CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] was created recently against Log4j 1. It is essentially the same as the CVE you noted above against Log4j 2. It was created specifically because people were confused in thinking that CVE-2017-5645 did not apply to Log4j 1. CVE-2019-17571 has been mitigated in third party distributions of Log4j but will never be fixed in an ASF distribution, so any use of Log4j 1 will now permanently show up in security scans, although some projects (ZOOKEEPER-3677) are choosing to suppress the security failure. Also note that Log4j 2 now offers [experimental support|http://logging.apache.org/log4j/2.x/manual/compatibility.html] for Log4j 1 configuration files. was (Author: ralph.go...@dslextreme.com): [~ste...@apache.org] Regarding your comment on Sept 17, 2019 - [CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] was created recently against Log4j 1. It is essentially the same as the CVE you noted above against Log4j 2. It was created specifically because people were confused in thinking that CVE-2017-5645 did not apply to Log4j 1. CVE-2019-17571 has been mitigated in third party distributions of Log4j but will never be fixedin an ASF distribution, so any use of Log4j 1 will now permanently show up in security scans, although some projects (ZOOKEEPER-3677) are choosing to suppress the security failure. Also note that Log4j 2 now offers [experimental support|http://logging.apache.org/log4j/2.x/manual/compatibility.html] for Log4j 1 configuration files. > Add support for log4j 2.x to Spark > ---------------------------------- > > Key: SPARK-6305 > URL: https://issues.apache.org/jira/browse/SPARK-6305 > Project: Spark > Issue Type: Improvement > Components: Build > Reporter: Tal Sliwowicz > Priority: Minor > > log4j 2 requires replacing the slf4j binding and adding the log4j jars in the > classpath. Since there are shaded jars, it must be done during the build. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org