|
From: Gerd W. <ger...@t-...> - 2022-01-06 19:50:42
|
Am 05.01.22 um 23:23 schrieb Dmitriy Volodin - IDM-C via Squirrel-sql-users: > Are there any plans to migrate to Log4j 2 (2.17.1 at least)? > > Thanks! > I have not decided on this, yet. I already know it requires some more work than just updating the libraries. If someone would send me a patch I'd promise sympathetically consider it. I'm also thinking about getting rid of Log4j at all. I assume it wouldn't be to hard to implement the logging functionality SQuirreL needs myself. Of course a patch of that kind would be considered friendly as well. As to the vulnerabilities of Log4J that came known lately: I think SQuirreL already dealt with these responsibly. Please see the two recent change log entries starting with "On Log4j vulnerability CVE-2021-44228 (log4shell) concerning Log4j2 versions from 2.0-beta9 to 2.14.1 ..." and with "Fixed Log4j vulnerability CVE-2021-4104 concerning Log4j version 1.*" Also note that SQuirreL is a standalone application which does not offer to be connected to from outside. Essentially the only remote component that may cause SQuirreL to write logs is the databases you use SQuirreL to connect to. Gerd |
