+1 to deprecate the 'ignite-log4j' module and remove it in the next releases.
вт, 1 мар. 2022 г. в 20:40, Sergei Ryzhov <s.vi.ryz...@gmail.com>: > > Anton, Nikolay thanks. > > With this ticket[1] I change the default logger to ignite-log4j2 > And I will mark log4j as deprecated. > > before the review, I will check on the TC-bot and check on the Ducktests. > > [1] https://issues.apache.org/jira/browse/IGNITE-16626 > > пн, 28 февр. 2022 г. в 19:10, Anton Vinogradov <a...@apache.org>: > > > > But, seems, we can’t do it right now, because of existing deployments. > > Correct > > > > > Let’s mark this module as deprecated and remove it in 2.14? > > Possible way > > > > Also, we must check this will not cause problems at tests (eg. Ducktests) > > > > On Mon, Feb 28, 2022 at 6:48 PM Nikolay Izhikov <nizhi...@apache.org> > > wrote: > > > > > Hello, Anton. > > > > > > +1 to remove outdated logging library. > > > > > > But, seems, we can’t do it right now, because of existing deployments. > > > Let’s mark this module as deprecated and remove it in 2.14? > > > > > > > > > > Not every deployment require to be secured. > > > > > > Disagree. > > > We should update or workaround known security issues ASAP. > > > > > > > > > > Not every deployment requires to use of log4j. > > > > > > > > > > > > Agree, but we shouldn’t provide or support modules with known security > > > issues. > > > > > > > > > > 28 февр. 2022 г., в 18:41, Anton Vinogradov <a...@apache.org> > > написал(а): > > > > > > > > Your deployment has vulnerabilities only in case you configured log4j > > as > > > a > > > > logger. > > > > Not every deployment require to be secured. > > > > Not every deployment requires to use of log4j. > > > > > > > > We must change the default logging library if the current is log4j and > > > > provide the ability to use log4j as before (where it is required) but > > > with > > > > a warning, I think. > > > > > > > > On Mon, Feb 28, 2022 at 3:55 PM Sergei Ryzhov <s.vi.ryz...@gmail.com> > > > wrote: > > > > > > > >> Hello, Igniters. > > > >> > > > >> log4j 1.2.17 is not supported and contains critical vulnerabilities > > > >> I suggest excluding log4j 1.2.17 and module ignite-log4j from > > ignite[1]. > > > >> > > > >> Direct vulnerabilities: > > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305 > > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302 > > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104 > > > >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 > > > >> > > > >> WDYT? > > > >> > > > >> [1] https://issues.apache.org/jira/browse/IGNITE-16626 > > > >> > > > >> -- > > > >> Best regards, > > > >> Sergei Ryzhov > > > >> > > > > > > > > > > > -- > Best regards, > Sergei Ryzhov -- Best wishes, Amelchev Nikita
