[
https://issues.apache.org/jira/browse/ZOOKEEPER-2342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17353525#comment-17353525
]
Václav Haisman commented on ZOOKEEPER-2342:
-------------------------------------------
We are seeing the log4j 1.x vulnerabilities in our scans, too. Is there a way
forward with this migration? What about proceeding with this conversion by
doing the necessary breaking changes in new major release, 4.0.0?
> Migrate to Log4J 2.
> -------------------
>
> Key: ZOOKEEPER-2342
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2342
> Project: ZooKeeper
> Issue Type: Bug
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Priority: Major
> Fix For: 3.8.0
>
> Attachments: ZOOKEEPER-2342.001.patch
>
>
> ZOOKEEPER-1371 removed our source code dependency on Log4J. It appears that
> this also removed the Log4J SLF4J binding jar from the runtime classpath.
> Without any SLF4J binding jar available on the runtime classpath, it is
> impossible to write logs.
> This JIRA investigated migration to Log4J 2 as a possible path towards
> resolving the bug introduced by ZOOKEEPER-1371. At this point, we know this
> is not feasible short-term. This JIRA remains open to track long-term
> migration to Log4J 2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
