Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop-in reload4j #84

Closed
xabolcs opened this issue Jun 23, 2022 · 1 comment
Closed

Drop-in reload4j #84

xabolcs opened this issue Jun 23, 2022 · 1 comment

Comments

@xabolcs
Copy link
Contributor

xabolcs commented Jun 23, 2022
edited

(Split from #82)

The reload4j project offers a clear and easy migration path for the thousands of users who have an urgent need to fix vulnerabilities in log4j 1.2.17.

Goals

As mentioned above, the reload4j project aims to fix the most urgent issues in log4j 1.2.17. This is accomplished by the following steps:

Please refer to the news page for more details.

As both log4j 1.x and reload4j do not offer a message lookup mechanism, they did not suffer from the notorious log4shell vulnerability.
xabolcs added a commit that referenced this issue Jun 23, 2022
@xabolcs
Change log4j12 to reload4j (#84)
e8a8019 
reload4j is a drop-in replacement for log4j 1.2.17

The binary compatibility issue [0] between earlier versions of reload4j
and slf4j-log4j12 has been fixed.
Although it is recommended that you use slf4j-reload4j as the preferred
adapter for the slf4j/reload4j combination, with reload4j version 1.2.21
and later you can freely mix any version of slf4j-log4j12, if you have to.

From Docker:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/src/openseedbox/lib/slf4j-reload4j-1.7.36.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/play/framework/lib/slf4j-log4j12-1.7.22.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Reload4jLoggerFactory]

[0]: qos-ch/reload4j#41
xabolcs added a commit to openseedbox/openseedbox-server that referenced this issue Jul 7, 2022
@xabolcs
Change log4j12 to reload4j (openseedbox/openseedbox#84)
a3495f7 
reload4j is a drop-in replacement for log4j 1.2.17

The binary compatibility issue [0] between earlier versions of reload4j
and slf4j-log4j12 has been fixed.
Although it is recommended that you use slf4j-reload4j as the preferred
adapter for the slf4j/reload4j combination, with reload4j version 1.2.21
and later you can freely mix any version of slf4j-log4j12, if you have to.

From Docker:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/src/openseedbox-server/lib/slf4j-reload4j-1.7.36.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/play/framework/lib/slf4j-log4j12-1.7.22.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Reload4jLoggerFactory]

[0]: qos-ch/reload4j#41
@xabolcs
Copy link
Contributor Author

xabolcs commented Jul 7, 2022

openseedbox/server images were just updated.

I'll keep this open until WAR packaging (#82) get done.

@xabolcs xabolcs closed this as completed Jul 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xabolcs