vulnerability for Version 1.x. CVE-2021-4104

[zg2pro]

Hi,

Further this vulnerability discovered in v1.x, can we possibly release log4j without the JMSAppender. Here are recommendations provided on Slf4's website: http://slf4j.org/log4shell.html
See section on log4j 1.x:

In the absence of a new log4j 1.x release, you can remove JMSAppender from the log4j-1.2.17.jar artifact yourself. Here is the command:

   zip -d log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class

As tampering with the contents of public libs is not handy, this release would help.

I'm calling to contributors, @tallpsmith @scottdeboy @YoavShapira @grobmeier @garydgregory @pfumagalli I hope one of you is still active

Best regards,
Gregory

[lsimons]

Hey, @zg2pro, you're not the only one with this suggestion! A few of us have been discussing what to do already. I just opened PR #16 with how far we got so far.

At Apache most communication happens on mailing lists. Could you join us there? See https://logging.apache.org/log4j/2.x/mail-lists.html for more information.

[lsimons]

This PR should be closed.

See https://github.com/apache/logging-log4j1/blob/main/README.md for rationale.

See

• https://reload4j.qos.ch/
• https://github.com/qos-ch/reload4j

for a maintained/released fork with security fixes.