Hi Brent, there is a discussion going on on the dev list with subject "Logback" if folks would like to participate.
Regards, Patrick On Fri, Dec 17, 2021 at 11:26 PM Brent <brentwritesc...@gmail.com> wrote: > I just finished reading through the latest Jira comments and links. Has > there been any consensus reached thus far on whether or not ZK is planning > an upgrade to Log4j 2.16.0 (or at least providing it as an option behind > slf4j)? > > I understand the arguments for/against Log4j 1.x and won't repeat them all > here. I'm asking because I know some more cautious organizations are still > taking action to attempt to mitigate existing ZK installations regardless. > > Has anyone made an attempt to see how much effort would be involved in the > upgrade? Would you all be open to a pull request? > > Thanks for all of your hard work on ZK! > > ~Brent > > On Mon, Dec 13, 2021 at 8:36 AM Patrick Hunt <ph...@apache.org> wrote: > > > This issue is being tracked on ZOOKEEPER-4423. > > > > ZK 3.4 does not use log4j 2.x - all versions of zk currently use log4j > 1.x. > > > > Regards, > > > > Patrick > > > > > > On Mon, Dec 13, 2021 at 4:02 AM Prasanna kumar < > > prasannakumarram...@gmail.com> wrote: > > > > > Could anyone confirm the same on 3.4 versions? > > > > > > On Sun, Dec 12, 2021 at 9:58 AM tison <wander4...@gmail.com> wrote: > > > > > > > Hi Anchal, > > > > > > > > I don't speak on behalf of the PMC but it seems ZK just uses log4j > 1.x, > > > not > > > > the affected version. > > > > > > > > Best, > > > > tison. > > > > > > > > > > > > Anchal Sharma2 <anchs...@in.ibm.com> 于2021年12月12日周日 12:19写道: > > > > > > > > > Hi All, > > > > > > > > > > Any one knows impact of Log4J security vulnerability CVE-2021-44228 > > on > > > > > zookeeper (version 3.5.8) and mitigation ?I couldn't find any news > on > > > > > zookeeper website . > > > > > > > > > > Thanks > > > > > Anchal Sharma > > > > > > > > > > > > > > > > > > > >