Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Log4j 1.x vulnerability


I got in contact with the reload4j team. They changed the Bundle-SymbolicName to org.apache.log4j and fixed several OSGi meta data related issues in the meanwhile. Today they published 1.2.19 which should work as a drop-in replacement in Eclipse based applications where Require-Bundle was used. My local tests worked so far.

That said, re-bundling for Orbit should not be necessary as reload4j could directly be consumed via Maven Central. 

Just wanted to keep you updated. 


Ed Willink <ed.willink@xxxxxxxxx> schrieb am Mi., 26. Jan. 2022, 13:47:

On 26/01/2022 07:48, Christoph Läubrich wrote:
> Why not using SLF4J in all places and let the user choose the
> implementation with their favorite CVEs?

Use of SLF4J has been suggested before and so I tried to be a good
Eclipse citizen. My failed attempts are described in:

If SLF4J is to be used, can someone please ensure that the platform is
fit for purpose and that there is a good tutorial on how to do really
boring logging.


Ed Willink

This email has been checked for viruses by Avast antivirus software.

cross-project-issues-dev mailing list
To unsubscribe from this list, visit

Back to the top