[prev in list] [next in list] [prev in thread] [next in thread]
List: slf4j-dev
Subject: Re: [slf4j-dev] Outdated log4j dependency
From: Florian_Pöhr <florian.poehr () nomapo ! com>
Date: 2021-07-16 8:29:00
Message-ID: 043a9e0e-6e47-f72c-0508-cab154b75012 () nomapo ! com
[Download RAW message or body]
Hello Ralph,
thanks a lot for the quick reply!
I agree that using Log4j 2 would be a better idea. Unfortunately it is
not me using slf4j-log4j12.jar but another project I am dependent upon
(https://github.com/dcm4che/dcm4che to be precise). So this decision is
out of my hand.
I only now understood, that the name slf4j-log4j12.jar probably points
to log4j version 1.2.x and this dependency will therefore never be
updated to a newer log4j version. I somehow got the impression from the
docu (http://www.slf4j.org/manual.html) that this is the standard way to
add log4j (and hence the question why such an old version of log4j is
used in that case).
Thanks a lot and have a great weekend,
Florian
Am 16.07.2021 um 09:46 schrieb Ralph Goers:
> The SLF4J API does not have a dependency on any logging implementation, including \
> log4j 1.2. If you do not want the binding to log4j 1.2 simply do not include the \
> slf4j-log4j12 jar.
> Log4j 2 provides the binding between the SLF4J API and Log4j's API. This is done by \
> including the log4j-slf4j or log4j-slf4j18 jars provided by Log4j 2. Note that \
> while the log4j-slf4j18 jar will provide some compatibility with slf4j-2.0, a new \
> bridge will be required to fully support it as there are new classes in SLF4J 2.0 \
> that must be accessed at compile time to take advantage of those features, and that \
> cannot be done in log4j-slf4j18 without breaking backward compatibility.
> FWIW, Log4j 2 also provides the log4j-1.2-api binding which allows the log4j-1.2.17 \
> jar to be removed and routes calls to log4j-1.2 to log4j 2 instead.
> Finally, you could use the Log4j 2 API instead of SLF4J if you want. It provides \
> all the features of SLF4J - i.e. it does not lock you into using the Log4j 2 \
> implementation.
> Ralph
>
> > On Jul 15, 2021, at 8:34 PM, Florian Pöhr <florian.poehr@nomapo.com> wrote:
> >
> > Dear Slf4j team,
> >
> > I noticed that when using Slf4j with log4j the dependency that gets pulled by \
> > Slf4j is outdated (log4j-1.2.17.jar). Log4J 1.2.17 reached end of life in 2015 \
> > (see http://logging.apache.org/log4j/1.2/download.html).
> > This leads to the following problems:
> >
> > * Log4J 1.2.17 contains a security vulnerability (see \
> > https://nvd.nist.gov/vuln/detail/CVE-2019-17571 )
> > * Log4J 1.2.17 contains a dirty bugfix that messes up the java module system (see \
> > https://stackoverflow.com/questions/60130941/resolutionexception-in-java-11 )
> > Therefore I wanted to ask: are there any plans to switch to a newer Log4J 2.x \
> > version in the near future? I guess I am not the only one having problems with \
> > this dependency.
> > Best regards,
> >
> > Florian Poehr
> >
> > _______________________________________________
> > slf4j-dev mailing list
> > slf4j-dev@qos.ch
> > http://mailman.qos.ch/mailman/listinfo/slf4j-dev
>
> _______________________________________________
> slf4j-dev mailing list
> slf4j-dev@qos.ch
> http://mailman.qos.ch/mailman/listinfo/slf4j-dev
_______________________________________________
slf4j-dev mailing list
slf4j-dev@qos.ch
http://mailman.qos.ch/mailman/listinfo/slf4j-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic