Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Log4j 1.x vulnerability
On Wed, Jan 26, 2022 at 8:48 AM Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
I think redirecting logging messages to the eclipse log would better be
done like SLF4j-osgi [1]

What I really wonder is: Have these project really a hard
requirement/demand on using especially Log4J(1/2)?

Why not using SLF4J in all places and let the user choose the
implementation with their favorite CVEs?

It could even be a simrel rules that logging is only done through SLF4J
we can include the slf4joverX in the platform and SLF4j-osgi as the
default implementation so everything goes to the eclipse /osgi log.

+1
if we go for this solution we need to ensure that the issue with modified MDC initialization in reload4j 
which is mentioned in 
is also addressed in slf4j-osgi
 
[1] https://github.com/osgi/slf4j-osgi

Am 26.01.22 um 06:56 schrieb Dietrich, Christian:
> we at Xtext have already a issue to track it on our side
> https://github.com/eclipse/xtext/issues/2028
> <https://github.com/eclipse/xtext/issues/2028>
>
> unfortunately Xtext in the current release has require bundle (if i
> catched them all they should be gone in 2.26.0.M3) but the bigger
> problem is this one here
> https://github.com/eclipse/xtext-eclipse/blob/ffa3cf77753ebc29687768731a5d45416d2b50f1/org.eclipse.xtext.logging/META-INF/MANIFEST.MF#L5
> <https://github.com/eclipse/xtext-eclipse/blob/ffa3cf77753ebc29687768731a5d45416d2b50f1/org.eclipse.xtext.logging/META-INF/MANIFEST.MF#L5>
>
> i guess also some downsteam components in simrel would have to pick up a
> new Xtext release.
> i am not sure how much time i can spent to "pay attention" in feb and
> what the webmaster team will break
> so that i am not sure if it is a good idea to add the new Xtext release
> to simrel
>
> kind regards
> Christian
>
> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle,
> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann
> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald
> Goertz, Eric Swehla
> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen
> (Germany)
> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621
>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Back to the top