> But, seems, we can’t do it right now, because of existing deployments. Correct
> Let’s mark this module as deprecated and remove it in 2.14? Possible way Also, we must check this will not cause problems at tests (eg. Ducktests) On Mon, Feb 28, 2022 at 6:48 PM Nikolay Izhikov <nizhi...@apache.org> wrote: > Hello, Anton. > > +1 to remove outdated logging library. > > But, seems, we can’t do it right now, because of existing deployments. > Let’s mark this module as deprecated and remove it in 2.14? > > > > Not every deployment require to be secured. > > Disagree. > We should update or workaround known security issues ASAP. > > > > Not every deployment requires to use of log4j. > > > > Agree, but we shouldn’t provide or support modules with known security > issues. > > > > 28 февр. 2022 г., в 18:41, Anton Vinogradov <a...@apache.org> написал(а): > > > > Your deployment has vulnerabilities only in case you configured log4j as > a > > logger. > > Not every deployment require to be secured. > > Not every deployment requires to use of log4j. > > > > We must change the default logging library if the current is log4j and > > provide the ability to use log4j as before (where it is required) but > with > > a warning, I think. > > > > On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov <s.vi.ryz...@gmail.com> > wrote: > > > >> Hello, Igniters. > >> > >> log4j 1.2.17 is not supported and contains critical vulnerabilities > >> I suggest excluding log4j 1.2.17 and module ignite-log4j from ignite[1]. > >> > >> Direct vulnerabilities: > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > >> > >> WDYT? > >> > >> [1] https://issues.apache.org/jira/browse/IGNITE-16626 > >> > >> -- > >> Best regards, > >> Sergei Ryzhov > >> > >
