Anton, Nikolay thanks. With this ticket[1] I change the default logger to ignite-log4j2 And I will mark log4j as deprecated.
before the review, I will check on the TC-bot and check on the Ducktests. [1] https://issues.apache.org/jira/browse/IGNITE-16626 пн, 28 февр. 2022 г. в 19:10, Anton Vinogradov <a...@apache.org>: > > But, seems, we can’t do it right now, because of existing deployments. > Correct > > > Let’s mark this module as deprecated and remove it in 2.14? > Possible way > > Also, we must check this will not cause problems at tests (eg. Ducktests) > > On Mon, Feb 28, 2022 at 6:48 PM Nikolay Izhikov <nizhi...@apache.org> > wrote: > > > Hello, Anton. > > > > +1 to remove outdated logging library. > > > > But, seems, we can’t do it right now, because of existing deployments. > > Let’s mark this module as deprecated and remove it in 2.14? > > > > > > > Not every deployment require to be secured. > > > > Disagree. > > We should update or workaround known security issues ASAP. > > > > > > > Not every deployment requires to use of log4j. > > > > > > > > Agree, but we shouldn’t provide or support modules with known security > > issues. > > > > > > > 28 февр. 2022 г., в 18:41, Anton Vinogradov <a...@apache.org> > написал(а): > > > > > > Your deployment has vulnerabilities only in case you configured log4j > as > > a > > > logger. > > > Not every deployment require to be secured. > > > Not every deployment requires to use of log4j. > > > > > > We must change the default logging library if the current is log4j and > > > provide the ability to use log4j as before (where it is required) but > > with > > > a warning, I think. > > > > > > On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov <s.vi.ryz...@gmail.com> > > wrote: > > > > > >> Hello, Igniters. > > >> > > >> log4j 1.2.17 is not supported and contains critical vulnerabilities > > >> I suggest excluding log4j 1.2.17 and module ignite-log4j from > ignite[1]. > > >> > > >> Direct vulnerabilities: > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > > >> > > >> WDYT? > > >> > > >> [1] https://issues.apache.org/jira/browse/IGNITE-16626 > > >> > > >> -- > > >> Best regards, > > >> Sergei Ryzhov > > >> > > > > > -- Best regards, Sergei Ryzhov
