1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024 |
<== Date ==> | <== Thread ==> |
---|
Subject: | Re: Log4Shell approaches |
From: | Matt Clarke via Tech-talk <tech-talk at aps.anl.gov> |
To: | "tech-talk at aps.anl.gov" <tech-talk at aps.anl.gov> |
Date: | Tue, 14 Dec 2021 06:42:16 +0000 |
Hi. As far as I understand, the security issue has been fixed so updating should be sufficient. From the Logback page: “Fortunately, logback is unrelated to log4j 2.x and does not share its vulnerabilities.” If I was cynical I might read that as “it probably has its own unique vulnerabilities which haven’t been found yet” ;) Ultimately, like a lot of OSS, both projects seem to be maintained by a handful of core developers. Cheers, Matt From: Tech-talk <tech-talk-bounces at aps.anl.gov> on behalf of "Shankar, Murali via Tech-talk" <tech-talk at aps.anl.gov> We were wondering if others had any recommendations on this. That is, should we continue using/migrating to log4j2 ( and hope the security issues are fixed ) or should
we consider alternatives like logback etc. Any thoughts are appreciated. Regards, Murali |