[jira] [Closed] (STORM-3812) Storm release packages log4j v1

Richard Zowalla (Jira) Fri, 25 Aug 2023 04:04:02 -0700


     [ 
https://issues.apache.org/jira/browse/STORM-3812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Richard Zowalla closed STORM-3812.
----------------------------------
    Resolution: Fixed

> Storm release packages log4j v1
> -------------------------------
>
>                 Key: STORM-3812
>                 URL: https://issues.apache.org/jira/browse/STORM-3812
>             Project: Apache Storm
>          Issue Type: Improvement
>            Reporter: Liang Zhao
>            Priority: Major
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> log4j v1 is at it's EOL, but due to some implicit package references in 
> maven, some tools/libs is still packaging log4j. All latest releases are all 
> being impacted. 
>  
> Packages impacted:
>  * storm-autocreds
>  * storm-kafka-monitor
>  
> It would be good to fix/release this together with log4j v2 recent CVEs, thus 
> vulnerability scan will be clear for log4j vulnerability.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Closed] (STORM-3812) Storm release packages log4j v1

Reply via email to