[wildfly-dev] EXTERNAL: Re: wildfly and transitive dependency to log4j-v1, possibly via apache cxf
Marlow, Andrew
Andrew.Marlow at fisglobal.com
Tue Dec 3 07:21:01 EST 2019
Hello James and thank you for your quick reply.
It is indeed unfortunate that log4j-v1 is to be retained. I think that this will have to result in an official fix to log4j-v1 being made at some point. I think it’s just a matter of time before there is a CVE for log4j-v1.
From: wildfly-dev-bounces at lists.jboss.org <wildfly-dev-bounces at lists.jboss.org> On Behalf Of James Perkins
Sent: 02 December 2019 18:37
To: agents at andrewpetermarlow.co.uk
Cc: wildfly-dev at lists.jboss.org
Subject: EXTERNAL: Re: [wildfly-dev] wildfly and transitive dependency to log4j-v1, possibly via apache cxf
Unfortunately we can't remove log4j support. We also need to support log4j v1 for legacy application support. We actually use a fork [1] of log4j which delegates the actual logging to the JBoss Log Manager.
[1]: https://github.com/jboss-logging/log4j-jboss-logmanager<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjboss-logging%2Flog4j-jboss-logmanager&data=02%7C01%7Candrew.marlow%40fisglobal.com%7C6bba1afadf7941ca273308d777570051%7Ce3ff91d834c84b15a0b418910a6ac575%7C0%7C0%7C637109087858031082&sdata=gosCyOsO2U%2FHD7%2FvUQ8TUoJPL41t1lS%2BrH7pDj6Auog%3D&reserved=0>
On Sun, Dec 1, 2019 at 2:03 AM Andrew Marlow <marlow.agents at gmail.com<mailto:marlow.agents at gmail.com>> wrote:
Hello everyone,
I am trying to build the latest wildfly from a clone of the github repo at https://github.com/bstansberry/wildfly.git<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbstansberry%2Fwildfly.git&data=02%7C01%7Candrew.marlow%40fisglobal.com%7C6bba1afadf7941ca273308d777570051%7Ce3ff91d834c84b15a0b418910a6ac575%7C0%7C0%7C637109087858031082&sdata=lS1Dc0VORh6C0wpaUu7eNWXnPhI4Y8uYO3pIaBbAegw%3D&reserved=0>. I understand this is the latest and is from the principal maintainer, Brian Stansberry. I've changed the pom references to the old log4j-v1 to the new log4j-v2 but a pom dependency analysis reveals there is a still a dependency on v1. I am at a loss as to where exactly it is coming from. I hope someone here can shed some light please.
The relevant part of the dependency tree is shown from the extract below:
INFO [m] org.wildfly:wildfly-ts-integ-smoke:jar:19.0.0.Beta1-SNAPSHOT
INFO [m] +- org.jboss.ws.cxf:jbossws-cxf-client:jar:5.3.0.Final:test
:
INFO [m] | +- log4j:log4j:jar:1.2.17:test
Initially I thought it might be coming via an old version of apache CXF but I see from the top level pom that version 3.3.4 is being used, which is the latest. Any ideas?
--
Regards,
Andrew Marlow
http://www.andrewpetermarlow.co.uk<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.andrewpetermarlow.co.uk&data=02%7C01%7Candrew.marlow%40fisglobal.com%7C6bba1afadf7941ca273308d777570051%7Ce3ff91d834c84b15a0b418910a6ac575%7C0%7C0%7C637109087858041077&sdata=SW8H7q3F2nq4tynN2d8v6i1bddG40zAvuMajp%2FxGfcI%3D&reserved=0>
_______________________________________________
wildfly-dev mailing list
wildfly-dev at lists.jboss.org<mailto:wildfly-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/wildfly-dev<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fwildfly-dev&data=02%7C01%7Candrew.marlow%40fisglobal.com%7C6bba1afadf7941ca273308d777570051%7Ce3ff91d834c84b15a0b418910a6ac575%7C0%7C0%7C637109087858041077&sdata=1bq4n6oHiRmXPiquSYtInBu01fD1NmBqljs0Y2YiRDc%3D&reserved=0>
--
James R. Perkins
JBoss by Red Hat
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. FIS is a trading name of the following companies: Advanced Portfolio Technologies Ltd (No: 6312142) | Clear2Pay Limited (No: 5792457) | Decalog (UK) Limited (No: 2567370) | FIS Apex (International) Limited (No: 2999960) | FIS Apex (UK) Limited (No. 3573008) | FIS Consulting Services (UK) Limited (No: 2486794) | FIS Derivatives Utility Services (UK) Limited (No: 9398140) | FIS Energy Solutions Limited (No: 1889028) | FIS Global Execution Services Limited (No. 3127109) | FIS Global Trading (UK) Limited (No: 2523114) | FIS Investment Systems (UK) Limited (No: 1366010) | FIS Sherwood Systems Group Limited (No: 982833) | FIS Systems Limited (No: 1937159) | FIS Treasury Systems (Europe) Limited (No: 2624209) | FIS Treasury Systems (UK) Limited (No: 2893376) | GL Settle Limited (No: 2396127) | Integrity Treasury Solutions Europe Limited (No: 3289271) | Monis Software Limited (No: 2333925) | Reech Capital Limited (No: 3649490) | Solutions Plus Consulting Services Limited (No: 3839487) | Valuelink Information Services Limited (No: 3827424) all registered in England & Wales with their registered office at 25 Canada Square, London E14 5LQ | FIS Global Execution Services Limited is authorised and regulated by the Financial Conduct Authority | Certegy Card Services Limited (No: 3517639) | Certegy France Limited (No: 2557650) | eFunds International Limited (No: 1930117) | Fidelity Information Services Limited (No: 2225203) | FIS Payments (UK) Limited (No: 4215488) | Metavante Technologies Limited (No: 2659326) all registered in England & Wales with their registered office at 1st Floor Tricorn House, 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU, United Kingdom | FIS Payments (UK) Limited is authorised and regulated by the Financial Conduct Authority; some services are covered by the Financial Ombudsman Service (in the UK). Clear2Pay Limited, Registered in Scotland (No SC157659), Registered Office: Clear2Pay House, Pitreavie Court, Pitreavie Business Park Queensferry Rd, Dunfermline, Fife, SS, KY11 8UU, Scotland | FIS eProcess Intelligence LLC (UK Branch), UK Establishment Registered in England & Wales (No: FC16527/Branch No. BR000355), Registered Branch Office: 25 Canada Square, London, E14 5LQ; FIS eProcess Intelligence LLC is a limited liability company formed in the USA registered on file with the Office of the Delaware Secretary of State, Division of Corporations (File No. 2032143), Head Office: 601 Riverside Avenue, Jacksonville Florida, FL32204, USA | FIS Investment Systems LLC, UK Establishment Registered in England & Wales (No: FC033836/Branch No. BR018923), Registered Branch Office: 25 Canada Square, London, E14 5LQ; FIS Investment Systems LLC is a limited liability company formed in the USA registered on file with the Office of the Delaware Secretary of State, Division of Corporations (File No. 0881255), Head Office: 377 E. Butterfield Road, Suite 800, Lombard, IL 60148, USA | Calls to and from the companies may be recorded for quality purposes. | All of the named companies are part of FIS (Fidelity National Information Services, Inc.).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20191203/4b74e093/attachment-0001.html
More information about the wildfly-dev
mailing list